Researchers have uncovered a sophisticated phishing marketplace, the ONNX Store, which provides cybercriminals with advanced tools to hijack Microsoft 365 accounts.
Alarmingly, these tools include methods for bypassing two-factor authentication (2FA), a critical security measure that many organizations rely on to protect sensitive information.
This discovery underscores the urgent need for corporate information security teams to bolster their defenses with robust anti-phishing protections.
The Mechanics of the Attack
According to the Kaspersky reports, the ONNX Store’s phishing tools have been used in targeted attacks against employees of financial institutions.
The attack begins with a seemingly innocuous email about remuneration, purportedly from the victim’s HR department. The email contains a PDF attachment with a QR code, enticing the recipient to scan it to access a “secure document” with important salary information.
The strategy is to lure the victim into opening the link on a personal smartphone, which might lack the anti-phishing protection of a work computer.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access
Once the QR code is scanned, it directs the victim to a phishing site miming a Microsoft 365 login page. The victim is prompted to enter their username, password, and a one-time 2FA code.
The fake Microsoft login page prompts victims to enter their credentials and a one-time 2FA code.
This information is immediately relayed to the attackers via the WebSocket protocol, allowing them to quickly log in to the victim’s account and gain full access. This access can then be exploited for business email compromise (BEC) and other malicious activities.
Phishing-as-a-Service: Lowering the Barrier for Cybercrime
The ONNX Store operates primarily through the Telegram instant messenger, offering phishing services on a subscription basis. The cost of these services is surprisingly low, with a monthly subscription for harvesting Microsoft 365 account passwords priced at $200 and $400 if it includes a 2FA bypass.
This affordability makes it accessible even to small-time cybercriminals, expanding the pool of potential attackers.
The phishing-as-a-service model is particularly concerning because it lowers the entry threshold for cybercrime, enabling a wider circle of criminals to access dangerous tools. This democratization of cybercrime tools poses a significant threat to organizations worldwide.
Protecting Your Organization Against Advanced Phishing
Given the increased accessibility of sophisticated phishing tools, organizations must proactively protect themselves.
Here are some recommended strategies:
- Implement Stronger 2FA Solutions: Consider using FIDO U2F hardware tokens like YubiKeys or passkeys for 2FA. These tools can thwart even the most advanced phishing attacks.
- Deploy Comprehensive Security Solutions: Ensure all corporate devices, including smartphones and tablets, have reliable security solutions featuring anti-phishing protection.
- Enhance Security Awareness: Conduct regular security awareness training to help employees recognize and manage suspicious emails. Interactive platforms, such as the Kaspersky Automated Security Awareness Platform, offer valuable resources for this purpose.
By adopting these measures, organizations can better defend against the evolving threat landscape posed by phishing-as-a-service models like the ONNX Store.
Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download
The post ONNX Bot Tool Hijacks Microsoft 365 accounts & Even Bypass 2FA appeared first on Cyber Security News.