Heimdal
article featured image

Contents:

ONNX Store new PhaaS is targeting Microsoft 365 and Office 365 accounts in financial companies. The hackers use QR codes in PDF attachments to lure the employees into clicking malicious links.

The phishing platform uses Telegram bots to spread and includes mechanisms to bypass two-factor authentication (2FA).

Researchers think ONNX Store is Caffeine phishing kit new version, which is managed by a threat actor known as MRxC0DER.

The ONNX phishing process explained

ONNX distributes phishing emails with malicious QR codes embeded in PDF attachments. Once the victim scans it, the QR code leads them to malicious pages that spoof the Microsoft 365 login interface.

When the victims log into the fake platform, hackers steal their credentials and 2FA tokens in real-time.

Further on, the threat actors use WebSockets to send the data to other attackers. Then they hijack the victim’s account before the 2FA token expires.

What’s in it for them? Exfiltrating sensitive data from the compromised email accounts and/ or selling the credentials on dark forums.

The PhaaS platform’s features

ONNX Store advertises offering customizable phishing templates and webmail services for sending phishing emails. Their messages showcase various subscription bundles and pricing, just like a legit business would do:

Webmail Normal ($150/month):

  • customizable text elements
  • password loop
  • Telegram ID integration
  • custom redirect links
  • auto-fetch custom domain logos

Normal ($200/month)

  • true login
  • one-time passwords
  • country blocking
  • custom page titles
  • password loops
  • Telegram integration
  • custom logos

Redirect ($200/month

  • wildcard links
  • undetectable inbox links
  • custom page titles
  • dynamic codes
  • auto-grab email functionality for 2FA redirects

2FA Cookie Stealer ($400/month

  • 2FA cookies
  • supports offline 2FA
  • custom page titles
  • Telegram integration
  • dynamic codes
  • link statistics

Additionally, ONNX uses encrypted JavaScript, Cloudflare services for domain protection, and bulletproof hosting to avoid takedowns.

Phishing attacks prevention measures

If your company is using Microsoft 365 accounts, here’s what you can do to mitigate the risk of being a ONNX victim

  • block PDF and HTML attachments from untrustworthy sources
  • restrict access to HTTPS websites that don’t have an up-to-date certificate
  • use a DNS filtering solution to spot malicious websites and block communication immediately
  • educate your employees to recognize phishing attempts

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE