A newly identified phishing-as-a-service (PhaaS) platform, ONNX Store, has emerged, specifically targeting Microsoft 365 accounts of employees within financial firms. This sophisticated phishing operation utilises QR codes embedded in PDF attachments to deceive its victims.
The ONNX Store platform is designed to compromise both Microsoft 365 and Office 365 email accounts. It employs Telegram bots for communication and incorporates mechanisms to bypass two-factor authentication (2FA), enhancing its ability to infiltrate secure systems.
Cyber security researchers have linked ONNX to the well-known Caffeine phishing kit, suggesting it is a rebranded iteration managed by the Arabic-speaking threat actor, MRxC0DER. The Caffeine platform, initially identified by Mandiant in October 2022, previously focused on targeting Russian and Chinese platforms, marking a shift in focus towards Western services with the advent of ONNX.
The evolution of such PhaaS platforms underscores the need for heightened vigilance and advanced security measures in protecting organisational email accounts, particularly within the financial sector.
ONNX Phishing Attack
In February 2024, cyber security researchers detected a surge in ONNX phishing attacks, primarily aimed at employees in banks, credit unions, and private funding firms. These attacks involved phishing emails with PDF attachments containing malicious QR codes.
The phishing emails impersonated HR departments, enticing recipients with subjects related to salary updates. The PDFs, designed to appear as official Adobe or Microsoft documents, contained QR codes that, when scanned on a mobile device, bypassed the organisation's phishing protections. This redirection led victims to fraudulent Microsoft 365 login pages.
Once on the fake login page, victims were prompted to enter their Microsoft 365 credentials and 2FA token. The phishing site captured these details in real-time, transmitting them via WebSockets to the attackers. This allowed the attackers to quickly hijack the accounts before the authentication token expired.
With access to compromised email accounts, attackers could exfiltrate sensitive information such as emails and documents. They could also sell the stolen credentials on the dark web, facilitating further malware and ransomware attacks.
This campaign underscores the critical need for enhanced phishing defences and user awareness, especially within financial institutions, to mitigate such sophisticated threats.
Advanced Phishing Platform
From the perspective of the cybercriminals, ONNX presents a highly efficient and cost-effective phishing platform. The core of its operations is managed via Telegram, where bots provide clients with a user-friendly interface to orchestrate their phishing campaigns. Additionally, dedicated support channels are available to assist users with any technical issues.
The platform offers customisable phishing templates tailored for Microsoft Office 365, alongside webmail services for dispatching phishing emails. ONNX employs encrypted JavaScript that decrypts itself upon page load, adding a layer of obfuscation to evade anti-phishing tools and scanners. Furthermore, ONNX leverages Cloudflare services to prevent its domains from being taken down, incorporating anti-bot CAPTCHA and IP proxying.
To ensure uninterrupted operations, ONNX uses bulletproof hosting services, which resist takedown efforts, and provides remote desktop protocol (RDP) services for secure campaign management.
ONNX offers four subscription tiers, each catering to different phishing needs:
Webmail Normal ($150/month): Features include customisable text elements, a password loop, Telegram ID integration, custom redirect links, and auto-fetching of custom domain logos.
Office Normal ($200/month): Provides true login functionality, one-time passwords, country blocking, custom page titles, password loops, Telegram integration, and custom logos.
Office Redirect ($200/month): Offers wildcard links, undetectable inbox links, custom page titles, dynamic codes, and auto-grab email functionality for 2FA redirects.
Office 2FA Cookie Stealer ($400/month): Captures 2FA cookies, supports offline 2FA, and includes custom page titles, Telegram integration, dynamic codes, and link statistics.
ONNX Store poses a significant threat to Microsoft 365 account holders, particularly within the financial services sector. To mitigate the risks of its sophisticated phishing attacks, administrators are advised to block PDF and HTML attachments from unverified sources, restrict access to HTTPS websites with untrusted or expired certificates, and implement FIDO2 hardware security keys for high-risk, privileged accounts.
Additionally, EclecticIQ has provided YARA rules in its report to aid in detecting malicious PDF files containing QR codes that lead to phishing URLs.
