Phishing-as-a-Service Attacks on the Rise, Report Warns

Cybersecurity researchers at Trustwave have identified a surge in malicious e-mail campaigns leveraging Rockstar 2FA, a phishing-as-a-service (PhaaS) toolkit designed to steal Microsoft 365 credentials.

The tool poses a significant threat, bypassing multifactor authentication (MFA) protections, even for users with enhanced security measures in place. These campaigns have been aimed at popular services, including Microsoft OneDrive, OneNote, Dynamics 365 Customer Voice, Atlassian Confluence, and Google Docs Viewer, to host malicious links or redirect users to phishing sites.

"This campaign employs an AiTM attack, allowing attackers to intercept user credentials and session cookies, which means that even users with multifactor authentication (MFA) enabled can still be vulnerable," wrote Diana Solomon and John Kevin Adriano at security firm Trustwave."Microsoft user accounts are the prime target of these campaigns, as target users will be redirected to landing pages designed to mimic Microsoft 365 (O365) login pages."

Rockstar 2FA represents a more advanced iteration of the DadSec, or Phoenix, phishing kit, researchers said. Microsoft has identified the cybercriminal group behind the toolkit as Storm-1575. Marketed on platforms such as ICQ, Telegram, and Mail.ru, the phishing-as-a-service offering is available through a subscription model.

The toolkit is designed to bypass multifactor authentication (MFA) and harvest session cookies, while incorporating features to evade detection, such as antibot measures and fully undetectable phishing links. It also allows users to customize phishing themes and integrate their campaigns with Telegram bots, making it a malicious tool that needs very little technical knowledge.

The phishing kit evades antispam filters by using obfuscated links hosted on reputable platforms such as Microsoft OneDrive, Google Docs Viewer, and Atlassian Confluence. It also incorporates Cloudflare Turnstile antibot checks to prevent automated analysis of its phishing pages.

Once victims are redirected, they encounter fake login portals designed to mimic legitimate sites. Credentials entered on these pages are captured and sent to an AiTM server, where attackers can use the stolen information to hijack accounts by accessing session cookies.

In one example, Trustwave outlined an attack campaign against Microsoft OneNote users, where a seemingly legitimate e-mail is sent to victims. Here's how it works:

The text seen in the e-mail body is actually contained in an image. The image is anchored with a link to a OneNote document hosted on the 1drv[.]ms domain. This image-based approach helps attackers evade text-based detection mechanisms. This is a common technique that is still seen in phishing samples today.

Users will be redirected to a OneNote page entitled "Complete Document for Review". This webpage displays an Adobe PDF logo and a text hyperlink that leads to the phishing landing page.

Trustwave's conclusion found that the rise of PhaaS platforms like Rockstar 2FA demonstrates the increasing sophistication and accessibility of phishing campaigns. These tools are enabling widespread credential theft and subsequent attacks, such as business e-mail compromise.
According to the security firm, organizations are encouraged to:

  • Strengthen e-mail filtering and detection systems.
  • Educate employees on phishing tactics and social engineering.
  • Use behavioral analytics to identify unusual account activity.

For more information, read the Trustwave blog.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

  • abstract smartphone translucent screen displaying AI interface

    Apple Unveils Redesigned Siri AI

    At its recent Worldwide Developers Conference, Apple announced Siri AI, a redesigned version of its voice assistant that Apple describes in its own announcement as "a profoundly more capable and personal assistant." The update is intended to make Siri more conversational, more context-aware, and more useful across iPhone, iPad, Mac, Apple Watch, and Vision Pro.

  • closeup of hands using smartphone to talk with ai chatbot

    Novakid Launches AI App for English-Speaking Practice

    Novakid, an online English learning platform for children, has launched NovaPals, an AI-powered conversational app for independent English-speaking practice.

  • abstract agentic ai data streams

    Rubrik Brings Agentic AI to Its Flagship Cyber Resilience Platform

    Rubrik has introduced Rubrik AI, positioning the company's cyber resilience platform around agentic operations across data, identity, and AI infrastructure.

  • Wi-Fi icon on dark blue circuit background

    FCC to Conduct 'Top-to-Bottom' Review of E-Rate Program

    The FCC is laying the groundwork for a comprehensive review of its E-Rate program, the federal initiative that provides K–12 schools and public libraries with discounts on internet, WiFi, and telecommunications services to ensure equitable digital access.