Analysis Summary

Researchers have discovered that a well-organized phishing-as-a-service (PhaaS) operation is using business email compromise (BEC) attacks to target Microsoft 365 accounts across financial firms. To increase the chances of success, the attacks make use of QR codes, two-factor authentication (2FA) bypasses, and other sophisticated evasion techniques.

Security analysts found evidence of a widespread phishing effort targeting financial institutions in February. The campaign involved threat actors using embedded QR codes in PDF documents to lure victims to phishing URLs. Banks, private investment enterprises, and credit union service providers in the Americas and Europe, Middle East, and Africa (EMEA) regions were among the specific organizations targeted. In the end, researchers were able to identify the campaign's source as ONNX Store, a PhaaS platform with an intuitive user interface that can be accessed through Telegram bots.

A crucial component of the ONNX service is a 2FA bypass technique that uses encrypted JavaScript code to intercept victims' 2FA requests to reduce the chance of discovery and increase the success rate of attacks. Furthermore, the assaults' phishing pages use typosquatting to mimic the interfaces of Microsoft 365 logins, increasing the likelihood that targets will be tricked into providing their authentication information. The attack often involves a threat actor posing as an employee and claiming to be sending them a PDF document about human resources, like a salary remittance slip or employee handbook. The document poses as Adobe or Microsoft 365 in an attempt to fool the receiver into opening the attachment. The QR code leads victims to a phishing landing page when scanned.

One increasingly popular strategy for avoiding endpoint detection is the use of QR codes. Since most mobile phones read QR codes, it might be difficult for enterprises to keep an eye on these hazards because many employees' mobile devices lack detection or prevention features. Analysts discovered that the attacker-controlled landing page is made to use the adversary-in-the-middle (AiTM) technique to acquire 2FA authentication codes and login credentials. The phishing server uses WebSockets protocol, which enables real-time, two-way communication between the user's browser and the server, to gather the stolen data as victims enter their credentials. By capturing and transmitting stolen data fast, attackers can increase the efficiency and difficulty of phishing operations by avoiding the need for repeated HTTP requests.

Tycoon, another PhaaS operator, has also employed a comparable AiTM method together with a multifactor authentication (MFA) bypass that makes use of a Cloudflare CAPTCHA. This shows how malevolent actors are picking up on one other's lessons and modifying their tactics accordingly. According to researchers, ONNX may be a rebranding of a phishing kit named Caffeine, which was initially uncovered by Mandiant researchers in 2022. The two share similarities in terms of Telegram infrastructure and advertising strategies.

Another hypothesis is that the ONNX Store is receiving client assistance from the Arabic-speaking threat actor who is thought to have created and maintained Caffeine, while the larger operation is probably run autonomously by a new organization without central supervision. The inclusion of encrypted JavaScript code that self-decrypts during page load and has a basic anti-JavaScript debugging function is another anti-detection strategy in the ONNX phishing kit. This makes analysis more difficult and adds another level of defense against anti-phishing scanners.

Researchers discovered a feature in the decrypted JavaScript code that is intended to intercept victims' 2FA token entries and send them to the attacker. The attacker then uses the credentials and tokens in real-time to log into Microsoft 365. By using a real-time credential relay, the attacker can bypass multifactor authentication and obtain unauthorized access to the victim's account before the 2FA token expires.

Organizations should set their email servers to restrict PDF or HTML attachments from untrusted external sources to lessen the risk posed by embedded QR codes in PDF documents. They can also inform staff members about the dangers of scanning QR codes from unidentified sources. Organizations can utilize domain name system security extensions (DNSSEC), which shields domains from a variety of cyber threats, including typosquatting, to counteract the typosquatted domains that the threat actor is using to pose as Microsoft.

Defenders can also take steps to prevent 2FA token theft, like implementing FIDO2 hardware security keys; limiting the amount of times a cyberattacker has to use login tokens by setting a short expiration time; and using security monitoring tools to identify and alert for any unusual behavior, like multiple unsuccessful login attempts or logins from suspicious locations.

Impact

• Unauthorized Access
• Financial Loss
• Credential Theft
• Sensitive Data Theft

Indicators of Compromise

Domain Name

• authmicronlineonfication.com
• verify-office-outlook.com
• stream-verify-login.com
• zaq.gletber.com
• v744.r9gh2.com
• bsifinancial019.ssllst.cloud
• 473.kernam.com
• docusign.multiparteurope.com
• 56789iugtfrd5t69i9ei9die9di9eidy7u889.rhiltons.com
• agchoice.us-hindus.com

MD5

• 0250a5ba26791e7ffddb4b294d486479
• 83dac37771e8592e006f671666ebf590
• 6193c137f3b5b0da106b86f74670cf6f
• 10d6e16a05965be5bc0059131dc5ae7c
• 2a0576dc8628b3f27190755d291750e4
• 15ef89d1a2aa023ab664e1adcd75cbfd
• 3f042b126e54b3a57485bf034d31fb39
• d125e7ed32bc2ce320489f5b5cd3ffdc
• 6980444399f1de17eec169e844d0b30e
• 1932d8238769b203693d1bbb56e541d2

SHA-256

• 432b1b688e21e43d2ccc68e040b3ecac4734b7d1d4356049f9e1297814627cb3
• 47b12127c3d1d2af24f6d230e8e86a7b0c661b4e70ba3b77a9beca4998a491ea
• 51fdaa65511e7c3a8d4d08af59d310a2ad8a18093ca8d3c817147d79a89f44a1
• f99b01620ef174bb48e22e54327ca9cffa4520868f49a41c524b81ab6d935070
• 52e04c615b08af10b4982506c1cee74cb062116d31f0300ed027f6efd3119b1a
• 3d58733b646431a60d39394be99ff083d6db3583796b503e8422baebed8d097e
• 702008cae9a145741e817e6c6566cd1d79c737d51b718f13a2d16d72a00cd5a7
• 908af49857b6f5d1e0384a5e6fc8ee53ca1df077601843ebdd7fc8a4db8bcb12
• d3b03f79cf1d088d2ed41e25c961e9945533aeabb93eac2d33ebc4b589ba6172
• 4751234ac4e1b0a5d4685b870de1ea1a7754258977f5d1d9534631c09c748732

SHA-1

• ebcfcc832b957598354d3a2faacacf6fa91b58cb
• 6b2db1e10fcc74fe864dbe6399b6d26d0d67d3f3
• 5dfef0d6a7ae77355278706323e71ac96686615b
• 2e68d5a9ae45af0c1faee31896269a0d9648026b
• 5aabe0b495218f8559b088395c375b27fef6eeb7
• 00610bfd4c015cefdad2149d9f2f3c89f4fe5452
• 2ed2deeb3cc6917a4065d6921033a886ae52b643
• 159648bdb70c0e7510d06295344276e06f94a4f2
• ccb296c3b6365a0d9706e14b6ba9745cef88c4c3
• 0f13cc4784d4b8123abf3eda514608e96b16e351

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Regularly update all software and systems to ensure vulnerabilities are patched promptly.
• Implement robust email filtering to block phishing attempts that may deliver initial infection loaders.
• Utilize advanced endpoint detection and response (EDR) tools to identify and block suspicious activities.
• Conduct regular security audits and vulnerability assessments to identify and mitigate potential security gaps.
• Employ least privilege principles, ensuring users and applications have the minimum necessary access rights.
• Enable multi-factor authentication (MFA) to add a layer of security to user accounts.
• Monitor network traffic for unusual activities that could indicate the presence of malware or unauthorized access.
• Educate employees on recognizing phishing emails and safe online practices to reduce the risk of initial infection.
• Establish and test incident response plans to ensure rapid containment and recovery in the event of ransomware.
• Never trust or open links and attachments received from unknown sources/senders.
• Implement multi-factor authentication to add an extra layer of security to login processes.