FlagThis

A new phishing-as-a-service (PhaaS) platform, dubbed "Rockstar 2FA," is targeting Microsoft 365 accounts, utilizing adversary-in-the-middle (AiTM) attacks to bypass multi-factor authentication (MFA). This sophisticated platform, an updated version of the DadSec/Phoenix kit, allows attackers to intercept user credentials and session cookies, granting them unauthorized access even when MFA is enabled. Rockstar 2FA is being advertised through various online channels, including Telegram and ICQ, with subscription costs starting at $200 for a two-week period.

The platform's functionality includes features such as two-factor authentication bypass, cookie harvesting, and antibot protection, making it particularly dangerous for organizations relying on MFA as their primary security measure. Attackers use various initial access vectors such as URLs, QR codes, and document attachments embedded within emails from compromised accounts or spamming tools, utilizing diverse lure templates to increase their chances of success. The phishing pages are designed to closely resemble legitimate Microsoft 365 login pages, adding to the deception.

Trustwave researchers have identified Rockstar 2FA's use of legitimate services like Atlassian Confluence, Google Docs Viewer, and Microsoft OneDrive to host phishing links, emphasizing the attackers' ability to exploit trust in well-known platforms. This highlights the evolving nature of phishing attacks and the need for robust security measures beyond MFA, including regular security awareness training for employees to recognize and avoid sophisticated phishing attempts. The increasing sophistication and accessibility of such PhaaS platforms pose a significant threat to organizations and individuals alike.

ImgSrc: www.bleepstatic.com

References:

• The Hacker News - The Hacker News discusses the Rockstar 2FA Phishing-as-a-Service platform that targets Microsoft 365 accounts. - 26d
• Over Security - BleepingComputer reports on the new Rockstar 2FA phishing service targeting Microsoft 365 accounts. - 26d
• Security Affairs - SecurityAffairs details the prevalence of the Rockstar 2FA phishing toolkit and its use of AiTM attacks. - 26d
• @BleepingComputer - Infosec.exchange shares the BleepingComputer article about the Rockstar 2FA phishing attacks. - 26d
• SpiderLabs Blog - Trustwave's SpiderLabs blog analyzes the Rockstar 2FA phishing kit and its techniques. - 26d
• Techopedia - Techopedia news about Rockstar 2FA and its impact on Microsoft 365 MFA. - 26d
• Security Risk Advisors - Rockstar 2FA Phishing Kit Steals Microsoft Credentials Through AiTM Attacks - 26d
• @BleepingComputer - News about a new phishing-as-a-service platform named 'Rockstar 2FA' that facilitates large-scale adversary-in-the-middle attacks. - 26d
• DataBreaches.Net - DataBreaches.net shares a news story about the new phishing service Rockstar 2FA targeting Microsoft 365 accounts. - 24d
• Malware Analysis, News and Indicators - Microsoft 365 credentials stolen via adversary-in-the-middle campaign - 23d
• SCM feed for Security Strategy, Plan, Budget - Microsoft 365 credentials stolen via adversary-in-the-middle campaign - 23d

Classification:

• HashTags: Rockstar2FA Phishing Microsoft365
• Company: Microsoft
• Target: Microsoft 365 Users
• Product: Microsoft 365
• Feature: Credential Theft
• Type: Phishing
• Severity: Medium