Summary:
A new phishing-as-a-service (PhaaS) platform called ONNX Store is targeting Microsoft 365 accounts of employees at financial firms using QR codes embedded in PDF attachments. The platform, which can target both Microsoft 365 and Office 365 email accounts, operates via Telegram bots and includes mechanisms to bypass two-factor authentication (2FA). Researchers at EclecticIQ, who discovered this activity, believe that ONNX is a rebranded version of the Caffeine phishing kit managed by the Arabic-speaking threat actor MRxC0DER. The Caffeine platform was originally discovered by Mandiant in October 2022, when it was targeting Russian and Chinese platforms instead of Western services.

ONNX Store's attacks were first observed in February 2024, distributing phishing emails with PDF attachments containing malicious QR codes aimed at employees at banks, credit union service providers, and private funding firms. These emails impersonate human resources (HR) departments and use salary updates as lures to open the PDFs, which are themed after Adobe or Microsoft. Scanning the QR code on a mobile device bypasses phishing protections, leading victims to phishing pages that mimic the legitimate Microsoft 365 login interface. The phishing site captures the login credentials and 2FA tokens entered by the victim in real-time, relaying them to the attackers via WebSockets, allowing account hijacking before the authentication token expires. Attackers can then access the compromised email accounts to exfiltrate sensitive information or sell the credentials on the dark web.

Security Officer Comments:
ONNX Store is a sophisticated and cost-effective platform for cybercriminals, featuring an intuitive interface managed through Telegram bots, customizable Microsoft Office 365 phishing templates, and encrypted JavaScript code that decrypts itself during page load to evade detection. The platform also uses Cloudflare services to prevent domain takedowns and includes anti-bot CAPTCHA and IP proxying. Additionally, it offers bulletproof hosting and remote desktop protocol (RDP) services for secure campaign management. ONNX Store offers four subscription tiers: Webmail Normal ($150/month), Office Normal ($200/month), Office Redirect ($200/month), and Office 2FA Cookie Stealer ($400/month), each providing varying levels of functionality, including customizable text elements, true login, OTP, dynamic codes, and 2FA cookie capturing. This makes ONNX Store a significant threat to Microsoft 365 account holders, especially those in the financial services sector.

Suggested Corrections:
To protect against its sophisticated phishing attacks, admins are recommended to block PDF and HTML attachments from unverified sources, block access to HTTPS websites with untrusted or expired certificates, and set up FIDO2 hardware security keys for high-risk, privileged accounts. EclecticIQ has also shared YARA rules in its report to help detect malicious PDF files that contain QR codes leading to phishing URLs.


Link(s):
https://www.bleepingcomputer.com/ne...ts-microsoft-365-accounts-at-financial-firms/