A recent discovery by security analysts has unveiled a highly sophisticated phishing-as-a-service operation that specifically targets Microsoft 365 accounts within financial institutions. This operation, known as PhaaS, utilizes advanced tactics such as a two-factor authentication (2FA) bypass, QR codes, and other evasion techniques to carry out business email compromise (BEC) attacks with a high level of success.
According to researchers from EclecticIQ, the phishing campaign was detected in February and was aimed at various financial organizations, including banks, private funding firms, and credit union service providers across the Americas and Europe, Middle East, and Africa (EMEA) regions. The threat actors behind this campaign were found to be using embedded QR codes in PDF attachments to redirect unsuspecting victims to phishing URLs.
Further investigation led EclecticIQ to trace the origin of the campaign to a PhaaS platform called ONNX Store, which operates through a user-friendly interface accessible via Telegram bots. One of the key features of the ONNX service is a 2FA bypass mechanism that intercepts 2FA requests using encrypted JavaScript code, making detection more challenging and increasing the success rate of attacks. Additionally, the phishing pages deployed in these attacks employ typosquatting to closely mimic Microsoft 365 login interfaces, deceiving users into revealing their authentication details.
The phishing operation involves a scenario where victims receive emails containing HR-related PDF documents, such as employee handbooks or salary slips, purportedly from a legitimate source. These documents contain QR codes that, once scanned, direct victims to a phishing landing page designed to collect login credentials and 2FA authentication codes. The attackers then use the stolen information in real-time to gain unauthorized access to the victims’ Microsoft 365 accounts.
The use of QR codes in these attacks is particularly effective in bypassing endpoint detection measures, as many organizations lack the capability to monitor and prevent threats originating from employees’ mobile devices. Additionally, the phishing kit used in these attacks incorporates encrypted JavaScript code that decrypts itself during page load, making it challenging for anti-phishing scanners to detect and analyze the malicious code.
To mitigate the threats posed by the ONNX phishing attacks, EclecticIQ recommends organizations to block PDF or HTML attachments from unverified sources, educate employees on the risks associated with scanning QR codes from unknown sources, and implement domain name system security extensions (DNSSEC) to protect against typosquatting domains. Defenders can also enhance their security measures by implementing FIDO2 hardware security keys for 2FA, setting short expiration times for login tokens, and using security monitoring tools to detect and respond to any unusual activity.
Overall, the emergence of this sophisticated phishing-as-a-service operation underscores the importance of implementing robust cybersecurity measures within financial institutions to detect and prevent such attacks effectively. By staying vigilant and employing proactive security strategies, organizations can strengthen their defenses against evolving cyber threats and safeguard their sensitive data from unauthorized access.