ONNX Phishing Service Targets Financial Firms' Microsoft Accounts - Cyber and Fraud Centre

A new phishing-as-a-service platform called ONNX Store has emerged, posing a severe threat to financial institutions by targeting employees’ Microsoft 365 accounts. Developed by a threat actor known as MRxC0DER, ONNX Store is likely a rebranded version of the Caffeine phishing kit. This service operates through Telegram bots, enabling cyber criminals to orchestrate phishing campaigns and bypass multi-factor authentication (MFA) security measures.

How the ONNX Phishing Scam Works

ONNX Store employs a deceptive tactic known as “quishing” (QR code phishing) to lure victims. Cyber criminals distribute malicious PDF attachments via phishing emails impersonating human resources departments or service providers. These PDFs contain embedded QR codes that, when scanned, redirect victims to fake Microsoft 365 login pages controlled by the attackers.

**Malicious PDF attachment –** *Source: EclecticIQ*

Once on the phishing page, victims are prompted to enter their login credentials and 2FA token. The stolen data is immediately relayed to the attackers via WebSockets, allowing them to hijack the target’s account before the 2FA token expires. This real-time relay of credentials enables the attackers to bypass MFA security.

**The Microsoft 365 phishing page –** *Source: EclecticIQ*

A Sophisticated Phishing Platform

ONNX Store provides a user-friendly interface for managing phishing operations, including customisable templates, webmail services for sending phishing emails, and bulletproof hosting to evade takedowns. The platform also uses encrypted JavaScript code and Cloudflare services to obfuscate its activities and prevent detection by security tools.

ONNX Store offers various subscription tiers, ranging from $150 to $400 per month, catering to different levels of phishing capabilities, such as webmail services, 2FA bypass, and cookie stealing.

List of the services in ONNX Store – *Source: EclecticIQ*

Impact on Financial Institutions

The primary targets of ONNX Store’s phishing campaigns are employees at banks, credit unions, and private funding firms across Europe, the Middle East, and the Americas. Stolen Microsoft 365 credentials can grant attackers access to sensitive information, financial data, and corporate networks, potentially leading to further malicious activities like data exfiltration or ransomware attacks.

Prevention and Mitigation Strategies

To protect against ONNX Store’s sophisticated phishing attacks, organisations should implement the following measures:

Employee Awareness Training: Educate employees about the dangers of phishing emails, malicious PDF attachments, and the risks associated with scanning QR codes from untrusted sources.
Email Security: Implement advanced email security solutions to detect and block phishing emails and malicious attachments.
Multi-Factor Authentication: Enable strong MFA mechanisms, such as FIDO2 hardware security keys, for high-risk and privileged accounts.
Network Monitoring: Monitor network traffic for suspicious patterns and indicators of compromise (IoCs) associated with ONNX Store’s infrastructure.
Incident Response Plan: Develop and regularly test an incident response plan to mitigate the impact of a successful phishing attack.

If you suspect you have fallen victim to an ONNX Store phishing attack, immediately change your compromised passwords, enable MFA if not already in place, check active sessions, and notify your IT security team or relevant department where you can get support.

Implementing robust security measures, and promoting cyber security awareness, organisations can better protect themselves against the evolving threat posed by the ONNX phishing service and similar malicious platforms.

Additional content on this threat including MITRE and IOCs available at:

20.06.24

Threat Intelligence Alerts