Report Identifies Rise in Phishing-as-a-Service Attacks

Cybersecurity researchers at Trustwave are warning about a surge in malicious e-mail campaigns leveraging Rockstar 2FA, a phishing-as-a-service (PhaaS) toolkit designed to steal Microsoft 365 credentials.

The tool poses a significant threat, bypassing multifactor authentication (MFA) protections, even for users with enhanced security measures in place. These campaigns have been aimed at popular services, including Microsoft OneDrive, OneNote, Dynamics 365 Customer Voice, Atlassian Confluence, and Google Docs Viewer, to host malicious links or redirect users to phishing sites.

"This campaign employs an AiTM attack, allowing attackers to intercept user credentials and session cookies, which means that even users with multifactor authentication (MFA) enabled can still be vulnerable," wrote Diana Solomon and John Kevin Adriano at security firm Trustwave."Microsoft user accounts are the prime target of these campaigns, as target users will be redirected to landing pages designed to mimic Microsoft 365 (O365) login pages."

Rockstar 2FA represents a more advanced iteration of the DadSec, or Phoenix, phishing kit, researchers said. Microsoft has identified the cybercriminal group behind the toolkit as Storm-1575. Marketed on platforms such as ICQ, Telegram, and Mail.ru, the phishing-as-a-service offering is available through a subscription model.

The toolkit is designed to bypass multifactor authentication (MFA) and harvest session cookies, while incorporating features to evade detection, such as antibot measures and fully undetectable phishing links. It also allows users to customize phishing themes and integrate their campaigns with Telegram bots, making it a malicious tool that needs very little technical knowledge.

The phishing kit evades antispam filters by using obfuscated links hosted on reputable platforms such as Microsoft OneDrive, Google Docs Viewer, and Atlassian Confluence. It also incorporates Cloudflare Turnstile antibot checks to prevent automated analysis of its phishing pages.

Once victims are redirected, they encounter fake login portals designed to mimic legitimate sites. Credentials entered on these pages are captured and sent to an AiTM server, where attackers can use the stolen information to hijack accounts by accessing session cookies.

In one example, Trustwave outlined an attack campaign against Microsoft OneNote users, where a seemingly legitimate e-mail is sent to victims. Here's how it works:

The text seen in the e-mail body is actually contained in an image. The image is anchored with a link to a OneNote document hosted on the 1drv[.]ms domain. This image-based approach helps attackers evade text-based detection mechanisms. This is a common technique that is still seen in phishing samples today.

Users will be redirected to a OneNote page entitled "Complete Document for Review". This webpage displays an Adobe PDF logo and a text hyperlink that leads to the phishing landing page.

Trustwave's conclusion found that the rise of PhaaS platforms like Rockstar 2FA demonstrates the increasing sophistication and accessibility of phishing campaigns. These tools are enabling widespread credential theft and subsequent attacks, such as business e-mail compromise.
According to the security firm, organizations are encouraged to:

  • Strengthen e-mail filtering and detection systems.
  • Educate employees on phishing tactics and social engineering.
  • Use behavioral analytics to identify unusual account activity.

For more information, visit the Trustwave blog.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

  • The AI Show

    Register for Free to Attend the World's Greatest Show for All Things AI in EDU

    The AI Show @ ASU+GSV, held April 5–7, 2025, at the San Diego Convention Center, is a free event designed to help educators, students, and parents navigate AI's role in education. Featuring hands-on workshops, AI-powered networking, live demos from 125+ EdTech exhibitors, and keynote speakers like Colin Kaepernick and Stevie Van Zandt, the event offers practical insights into AI-driven teaching, learning, and career opportunities. Attendees will gain actionable strategies to integrate AI into classrooms while exploring innovations that promote equity, accessibility, and student success.

  • illustrated university campus with modern buildings, glowing binary code streaming straight and dynamically from multiple directions, integrated into the architecture, surrounded by stylized trees, grass, and walkways

    3 Ways Institutions Can Become Data-Driven Organizations

    Faced with declining enrollments and changing demographics, colleges and universities must make use of data and analytics to better serve students.

  • NVIDIA DGX line

    NVIDIA Intros Personal AI Supercomputers

    NVIDIA has introduced a new lineup of AI-powered computing solutions designed to accelerate enterprise workloads.

  • digital network with glowing blue and red lines, featuring multiple red arrows shifting in different directions

    Report: Attackers Change Tactics as Ransomware Payoffs Decline

    Attackers are changing tactics as they collect less money from ransomware payoffs, according to a new report from Chainalysis, a blockchain analytics firm.