Researchers have uncovered a sophisticated phishing marketplace, the ONNX Store, which provides cyber-criminals with advanced tools to hijack Microsoft 365 accounts.
Alarmingly, these tools include methods for bypassing two-factor authentication (2FA), a critical security measure that many organizations rely on to protect sensitive information.
This discovery underscores the urgent need for corporate information security teams to bolster their defences with robust anti-phishing protections.
The Mechanics of the Attack
According to the Kaspersky reports, the ONNX Store’s phishing tools have been used in targeted attacks against employees of financial institutions.
The attack begins with a seemingly innocuous email about remuneration, purportedly from the victim’s HR department. The email contains a PDF attachment with a QR code, enticing the recipient to scan it to access a “secure document” with important salary information.
The strategy is to lure the victim into opening the link on a personal smartphone, which might lack the anti-phishing protection of a work computer.
Once the QR code is scanned, it directs the victim to a phishing site mimicking a Microsoft 365 login page. The victim is prompted to enter their username, password, and a one-time 2FA code.
This information is immediately relayed to the attackers via the WebSocket protocol, allowing them to quickly log in to the victim’s account and gain full access. This access can then be exploited for business email compromise (BEC) and other malicious activities.
The added danger here now is more and more users have confidential files in OneDrive which the attackers also gain access to.
Phishing-as-a-Service: Lowering the Barrier for Cybercrime
The ONNX Store operates primarily through the Telegram instant messenger, offering phishing services on a subscription basis. The cost of these services is surprisingly low, with a monthly subscription for harvesting Microsoft 365 account passwords priced at $200 and $400 if it includes a 2FA bypass.
This affordability makes it accessible even to small-time cybercriminals, expanding the pool of potential attackers.
The phishing-as-a-service model is particularly concerning because it lowers the entry threshold for cybercrime, enabling a wider circle of criminals to access dangerous tools. This democratization of cybercrime tools poses a significant threat to organizations worldwide.
How Pro-Networks Can Help
In addition to ensuring 2FA is in use Pro-Networks has a number of other solutions to help reduce the likelihood of a successful attack.
AntiSpam – Stopping the fake email getting to your user in the first place is a great way to bolster security.
DNS Filtering – With real time DNS filtering all user web traffic is monitored and users would be prevented from accessing the fake Microsoft log in page.
Enhanced Microsoft 365 Security – Depending on the licence the end user has; we are able to turn on geography based blocking to email accounts – preventing attacks from outside the UK.
User Training – We can assist with end-user training and run phishing tests to help you learn how cyber safe your employees are.
For more information on bolstering your Microsoft 365 defences please speak to us today.