2 December 2024

Rockstar 2FA phishing-as-a-service targets Microsoft 365 users with AiTM attacks


Rockstar 2FA phishing-as-a-service targets Microsoft 365 users with AiTM attacks

A new phishing-as-a-service (PhaaS) toolkit called Rockstar 2FA has been observed targeting Microsoft 365 users through Adversary-in-the-Middle (AiTM) attacks that allow cybercriminals to bypass multi-factor authentication (MFA) protections.

Rockstar 2FA appears to be an updated version of the DadSec (also known as Phoenix) phishing kit, tracked by Microsoft as Storm-1575. Like its predecessor, Rockstar 2FA is offered as a subscription service, making sophisticated phishing campaigns accessible to individuals with limited technical expertise.

The kit is marketed on platforms like Telegram, ICQ, and Mail.ru, with pricing starting at $200 for a two-week subscription. Monthly options and API renewal services are also available.

Features advertised for Rockstar 2FA include two-factor authentication bypass, cookie harvesting, mechanisms like Cloudflare Turnstile to evade detection, customizable login themes, providing fully undetectable phishing links, and monitoring in real-time.

The phishing kit's admin panel is designed to help attackers manage their campaigns, generate phishing URLs, and customize themes for enhanced deception.

Trustwave researchers identified that phishing emails sent using Rockstar 2FA leverage diverse delivery mechanisms such as URLs embedded within the email, QR codes that redirect to phishing pages, document attachments laced with malicious links.

The phishing emails often employ convincing templates, including file-sharing notifications and e-signature requests, to lure unsuspecting users.

The campaign also uses legitimate services, including Google Docs Viewer, Atlassian Confluence, Microsoft OneDrive, and Dynamics 365, to host phishing links. The trusted platforms help bypass antispam and detection mechanisms. Additionally, Rockstar 2FA employs URL shorteners and open redirects to obfuscate malicious links.


Back to the list

Latest Posts

Cybersecurity Week in Review: January 24, 2025

Cybersecurity Week in Review: January 24, 2025

In brief: SonicWall SMA zero-day exploited in attacks, hackers are exploiting older Ivanti flaws, and more.
24 January 2025
AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

The attacks have been active since June 2024.
23 January 2025
SonicWall SMA zero-day exploited in attacks

SonicWall SMA zero-day exploited in attacks

SonicWall has released a patch in version 12.4.3-02854 and higher versions to address the issue.
23 January 2025