ONNX' MFA Bypass Targets Microsoft 365 Accounts

19-June-24

A sophisticated phishing-as-a-service (PhaaS) operation called ONNX Store is targeting Microsoft 365 accounts within financial firms using advanced tactics such as 2FA bypass, QR codes, and typosquatting, according to EclecticIQ researchers. The campaign, detected in February, employs QR codes in PDF attachments to direct victims to phishing URLs, specifically targeting banks and financial institutions across the Americas and EMEA regions. The ONNX platform, accessible via Telegram bots, uses encrypted JavaScript for 2FA interception and real-time data capture through WebSockets, enhancing attack efficiency and evasion. The operation shares similarities with the Caffeine phishing kit, suggesting potential rebranding or collaboration with the Arabic-speaking threat actor MRxC0DER.

Read More…