Report Identifies Rise in Phishing-as-a-Service Attacks

• By Chris Paoli
• 12/03/24

Cybersecurity researchers at Trustwave are warning about a surge in malicious e-mail campaigns leveraging Rockstar 2FA, a phishing-as-a-service (PhaaS) toolkit designed to steal Microsoft 365 credentials.

The tool poses a significant threat, bypassing multifactor authentication (MFA) protections, even for users with enhanced security measures in place. These campaigns have been aimed at popular services, including Microsoft OneDrive, OneNote, Dynamics 365 Customer Voice, Atlassian Confluence, and Google Docs Viewer, to host malicious links or redirect users to phishing sites.

"This campaign employs an AiTM attack, allowing attackers to intercept user credentials and session cookies, which means that even users with multifactor authentication (MFA) enabled can still be vulnerable," wrote Diana Solomon and John Kevin Adriano at security firm Trustwave."Microsoft user accounts are the prime target of these campaigns, as target users will be redirected to landing pages designed to mimic Microsoft 365 (O365) login pages."

Rockstar 2FA represents a more advanced iteration of the DadSec, or Phoenix, phishing kit, researchers said. Microsoft has identified the cybercriminal group behind the toolkit as Storm-1575. Marketed on platforms such as ICQ, Telegram, and Mail.ru, the phishing-as-a-service offering is available through a subscription model.

The toolkit is designed to bypass multifactor authentication (MFA) and harvest session cookies, while incorporating features to evade detection, such as antibot measures and fully undetectable phishing links. It also allows users to customize phishing themes and integrate their campaigns with Telegram bots, making it a malicious tool that needs very little technical knowledge.

The phishing kit evades antispam filters by using obfuscated links hosted on reputable platforms such as Microsoft OneDrive, Google Docs Viewer, and Atlassian Confluence. It also incorporates Cloudflare Turnstile antibot checks to prevent automated analysis of its phishing pages.

Once victims are redirected, they encounter fake login portals designed to mimic legitimate sites. Credentials entered on these pages are captured and sent to an AiTM server, where attackers can use the stolen information to hijack accounts by accessing session cookies.

In one example, Trustwave outlined an attack campaign against Microsoft OneNote users, where a seemingly legitimate e-mail is sent to victims. Here's how it works:

The text seen in the e-mail body is actually contained in an image. The image is anchored with a link to a OneNote document hosted on the 1drv[.]ms domain. This image-based approach helps attackers evade text-based detection mechanisms. This is a common technique that is still seen in phishing samples today.

Users will be redirected to a OneNote page entitled "Complete Document for Review". This webpage displays an Adobe PDF logo and a text hyperlink that leads to the phishing landing page.

Trustwave's conclusion found that the rise of PhaaS platforms like Rockstar 2FA demonstrates the increasing sophistication and accessibility of phishing campaigns. These tools are enabling widespread credential theft and subsequent attacks, such as business e-mail compromise.
According to the security firm, organizations are encouraged to:

• Strengthen e-mail filtering and detection systems.
• Educate employees on phishing tactics and social engineering.
• Use behavioral analytics to identify unusual account activity.

For more information, visit the Trustwave blog.