This worrying new phishing attack is going after Microsoft 365 accounts
- Trustwave Security Researchers Discover New Phishing Kit That Can Steal Microsoft 365 Accounts
- Rockstar 2FA can pass MFA codes and obtain session cookies
- The service is offered on the dark web for just $200
There’s a worrying new phishing kit that could allow cybercriminals to go after people’s Microsoft 365 accounts, even if they’re protected by multi-factor authentication (MFA). It’s called “Rockstar 2FA” and costs $200 on the dark web.
Cybersecurity researchers at Trustwave recently discovered and analyzed the new kit, noting that it has been aggressively promoted on Telegram and among other cybercriminal communities since August 2024.
The developers of the kit claim that it supports Microsoft 365, Hotmail, GoDaddy and SSO and provides arbitrary source code and links to evade detection. Moreover, it uses Cloudflare Turnstile Captcha to screen the victims and ensure that it is not sandboxed or analyzed by bots.
Bypass MFA and steal cookies
Phishing, as an attack method, hasn’t changed much over the years. Scammers send emails with fake documents, or create urgent alerts that users must address immediately or face the consequences. Due to hasty actions, victims end up infecting their devices with malware, losing sensitive data, granting valuable access to cybercriminals, and more.
To combat this method, most companies today use multi-factor authentication, a second layer of authentication that prevents unauthorized access even if the crooks steal the credentials. Criminals, on the other hand, responded by creating an adversary-in-the-middle (AiTM) methodology, something Rockstar 2FA also integrated.
By using the phishing kit, the attackers can create fake Microsoft 365 login pages. When the victim enters his login credentials there, he is automatically redirected to the legitimate login page, which then returns the request for MFA. The phishing page sends that request back to the victim, ultimately leading to the account being compromised.
Finally, Rockstar 2FA grabs the authentication cookie sent by the service to the user, allowing the attackers to remain logged in.
Since May 2024, which appears to be the kit’s date of origin, it has set up more than 5,000 phishing domains, the researchers concluded.
Via BleepingComputer