Report Identifies Rise in Phishing-as-a-Service Attacks

Cybersecurity researchers at Trustwave are warning about a surge in malicious e-mail campaigns leveraging Rockstar 2FA, a phishing-as-a-service (PhaaS) toolkit designed to steal Microsoft 365 credentials.

The tool poses a significant threat, bypassing multifactor authentication (MFA) protections, even for users with enhanced security measures in place. These campaigns have been aimed at popular services, including Microsoft OneDrive, OneNote, Dynamics 365 Customer Voice, Atlassian Confluence, and Google Docs Viewer, to host malicious links or redirect users to phishing sites.

"This campaign employs an AiTM attack, allowing attackers to intercept user credentials and session cookies, which means that even users with multifactor authentication (MFA) enabled can still be vulnerable," wrote Diana Solomon and John Kevin Adriano at security firm Trustwave."Microsoft user accounts are the prime target of these campaigns, as target users will be redirected to landing pages designed to mimic Microsoft 365 (O365) login pages."

Rockstar 2FA represents a more advanced iteration of the DadSec, or Phoenix, phishing kit, researchers said. Microsoft has identified the cybercriminal group behind the toolkit as Storm-1575. Marketed on platforms such as ICQ, Telegram, and Mail.ru, the phishing-as-a-service offering is available through a subscription model.

The toolkit is designed to bypass multifactor authentication (MFA) and harvest session cookies, while incorporating features to evade detection, such as antibot measures and fully undetectable phishing links. It also allows users to customize phishing themes and integrate their campaigns with Telegram bots, making it a malicious tool that needs very little technical knowledge.

The phishing kit evades antispam filters by using obfuscated links hosted on reputable platforms such as Microsoft OneDrive, Google Docs Viewer, and Atlassian Confluence. It also incorporates Cloudflare Turnstile antibot checks to prevent automated analysis of its phishing pages.

Once victims are redirected, they encounter fake login portals designed to mimic legitimate sites. Credentials entered on these pages are captured and sent to an AiTM server, where attackers can use the stolen information to hijack accounts by accessing session cookies.

In one example, Trustwave outlined an attack campaign against Microsoft OneNote users, where a seemingly legitimate e-mail is sent to victims. Here's how it works:

The text seen in the e-mail body is actually contained in an image. The image is anchored with a link to a OneNote document hosted on the 1drv[.]ms domain. This image-based approach helps attackers evade text-based detection mechanisms. This is a common technique that is still seen in phishing samples today.

Users will be redirected to a OneNote page entitled "Complete Document for Review". This webpage displays an Adobe PDF logo and a text hyperlink that leads to the phishing landing page.

Trustwave's conclusion found that the rise of PhaaS platforms like Rockstar 2FA demonstrates the increasing sophistication and accessibility of phishing campaigns. These tools are enabling widespread credential theft and subsequent attacks, such as business e-mail compromise.
According to the security firm, organizations are encouraged to:

  • Strengthen e-mail filtering and detection systems.
  • Educate employees on phishing tactics and social engineering.
  • Use behavioral analytics to identify unusual account activity.

For more information, visit the Trustwave blog.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

  • Training the Next Generation of Space Cybersecurity Experts

    CT asked Scott Shackelford, Indiana University professor of law and director of the Ostrom Workshop Program on Cybersecurity and Internet Governance, about the possible emergence of space cybersecurity as a separate field that would support changing practices and foster future space cybersecurity leaders.

  • modern college building with circuit and brain motifs

    Anthropic Launches Claude for Education

    Anthropic has announced a version of its Claude AI assistant tailored for higher education institutions. Claude for Education "gives academic institutions secure, reliable AI access for their entire community," the company said, to enable colleges and universities to develop and implement AI-enabled approaches across teaching, learning, and administration.

  • AI microchip, a cybersecurity shield with a lock, a dollar coin, and a laptop with financial graphs connected by dotted lines

    Survey: Generative AI Surpasses Cybersecurity in 2025 Tech Budgets

    Global IT leaders are placing bigger bets on generative artificial intelligence than cybersecurity in 2025, according to new research by Amazon Web Services (AWS).

  • university building surrounded by icons for AI, checklists, and data governance

    Improving AI Governance for Stronger University Compliance and Innovation

    AI can generate valuable insights for higher education institutions and it can be used to enhance the teaching process itself. The caveat is that this can only be achieved when universities adopt a strategic and proactive set of data and process management policies for their use of AI.