The recent actions taken by Microsoft’s Digital Crimes Unit (DCU) have led to the seizure of 240 fraudulent websites connected to an Egypt-based cybercrime facilitator known as Abanoub Nady, who operated under the online alias “MRxC0DER.” Nady was involved in the development and sale of “do it yourself” phish kits, using the brand name “ONNX” to market these illicit services. These kits were purchased by numerous cybercriminals and threat actors who utilized them in large-scale phishing campaigns to compromise Microsoft customer accounts, particularly targeting the financial services industry due to the sensitive nature of the data and transactions involved.
Phishing emails generated from these kits were a significant component of the millions of phishing messages detected by Microsoft on a monthly basis. The ONNX operation was part of the wider “Phishing-as-a-Service” industry, ranking among the top five providers of phish kits by email volume in the first half of 2024. By disrupting these operations, DCU aims to safeguard customers from various downstream threats such as financial fraud, data breaches, and ransomware attacks.
The fraudulent ONNX scheme exemplifies the evolving landscape of cyber threats, with cybercriminals employing sophisticated techniques like “adversary-in-the-middle” (AiTM) phishing tactics. These AiTM attacks involve intercepting network communications to steal user credentials and cookies for unauthorized access, circumventing Multifactor Authentication defenses. Reports from organizations like FINRA have highlighted the surge in AiTM attacks associated with the ONNX operation, employing methods like QR code phishing (quishing) to deceive users and bypass security protocols.
Microsoft’s collaboration with LF (Linux Foundation) Projects, LLC, the trademark holder of the genuine “ONNX” branding, underscores the collective effort to protect online users from malicious activities. By taking legal action against Abanoub Nady and publicly naming him as the leader of the fraudulent ONNX operation, DCU aims to deter cybercriminals from exploiting legitimate branding for illicit purposes. The Civil Court order unsealed in the Eastern District of Virginia redirects the malicious infrastructure to Microsoft, cutting off access for threat actors and preventing future phishing attacks.
While this action disrupts the fraudulent ONNX’s operations, continuous vigilance is required to combat evolving cyber threats. Organizations and individuals must remain informed and implement robust security measures to mitigate risks. Collaboration across sectors is essential to effectively combat cybercrime and create a safer digital environment. Microsoft’s DCU remains committed to leveraging innovative strategies to protect users online and collaborate globally to combat cyber threats.