Phishing-as-a-Service Attacks on the Rise, Report Warns

Cybersecurity researchers at Trustwave have identified a surge in malicious e-mail campaigns leveraging Rockstar 2FA, a phishing-as-a-service (PhaaS) toolkit designed to steal Microsoft 365 credentials.

The tool poses a significant threat, bypassing multifactor authentication (MFA) protections, even for users with enhanced security measures in place. These campaigns have been aimed at popular services, including Microsoft OneDrive, OneNote, Dynamics 365 Customer Voice, Atlassian Confluence, and Google Docs Viewer, to host malicious links or redirect users to phishing sites.

"This campaign employs an AiTM attack, allowing attackers to intercept user credentials and session cookies, which means that even users with multifactor authentication (MFA) enabled can still be vulnerable," wrote Diana Solomon and John Kevin Adriano at security firm Trustwave."Microsoft user accounts are the prime target of these campaigns, as target users will be redirected to landing pages designed to mimic Microsoft 365 (O365) login pages."

Rockstar 2FA represents a more advanced iteration of the DadSec, or Phoenix, phishing kit, researchers said. Microsoft has identified the cybercriminal group behind the toolkit as Storm-1575. Marketed on platforms such as ICQ, Telegram, and Mail.ru, the phishing-as-a-service offering is available through a subscription model.

The toolkit is designed to bypass multifactor authentication (MFA) and harvest session cookies, while incorporating features to evade detection, such as antibot measures and fully undetectable phishing links. It also allows users to customize phishing themes and integrate their campaigns with Telegram bots, making it a malicious tool that needs very little technical knowledge.

The phishing kit evades antispam filters by using obfuscated links hosted on reputable platforms such as Microsoft OneDrive, Google Docs Viewer, and Atlassian Confluence. It also incorporates Cloudflare Turnstile antibot checks to prevent automated analysis of its phishing pages.

Once victims are redirected, they encounter fake login portals designed to mimic legitimate sites. Credentials entered on these pages are captured and sent to an AiTM server, where attackers can use the stolen information to hijack accounts by accessing session cookies.

In one example, Trustwave outlined an attack campaign against Microsoft OneNote users, where a seemingly legitimate e-mail is sent to victims. Here's how it works:

The text seen in the e-mail body is actually contained in an image. The image is anchored with a link to a OneNote document hosted on the 1drv[.]ms domain. This image-based approach helps attackers evade text-based detection mechanisms. This is a common technique that is still seen in phishing samples today.

Users will be redirected to a OneNote page entitled "Complete Document for Review". This webpage displays an Adobe PDF logo and a text hyperlink that leads to the phishing landing page.

Trustwave's conclusion found that the rise of PhaaS platforms like Rockstar 2FA demonstrates the increasing sophistication and accessibility of phishing campaigns. These tools are enabling widespread credential theft and subsequent attacks, such as business e-mail compromise.
According to the security firm, organizations are encouraged to:

  • Strengthen e-mail filtering and detection systems.
  • Educate employees on phishing tactics and social engineering.
  • Use behavioral analytics to identify unusual account activity.

For more information, read the Trustwave blog.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

  • students using digital devices, surrounded by abstract AI motifs and soft geometric design

    Ed Tech Startup Kira Launches AI-Native Learning Platform

    A new K-12 learning platform aims to bring personalized education to every student. Kira, one of the latest ed tech ventures from Andrew Ng, former director of Stanford's AI Lab and co-founder of Coursera and DeepLearning.AI, "integrates artificial intelligence directly into every educational workflow — from lesson planning and instruction to grading, intervention, and reporting," according to a news announcement.

  • toolbox featuring a circuit-like AI symbol and containing a screwdriver, wrench, and hammer

    Microsoft Launches AI Tools for Educators

    Microsoft has introduced a variety of AI tools aimed at helping educators develop personalized learning experiences for their students, create content more efficiently, and increase student engagement.

  • laptop displaying a red padlock icon sits on a wooden desk with a digital network interface background

    Reports Point to Domain Controllers as Prime Ransomware Targets

    A recent report from Microsoft reinforces warns of the critical role Active Directory (AD) domain controllers play in large-scale ransomware attacks, aligning with U.S. government advisories on the persistent threat of AD compromise.

  • Two hands shaking in the center with subtle technology icons, graphs, binary code, and a padlock in the dark blue background

    Two Areas for K-12 Schools to Assess for When to Work with a Managed Services Provider

    The complexity of today’s IT network infrastructure and increased cybersecurity risk are quickly moving beyond many school districts’ ability to manage on their own. But a new technology model, a partnership with a managed services provider, offers a way forward for schools to overcome these challenges.