Researchers have uncovered a Phishing-as-a-Service (PhaaS) operation that focuses on Microsoft 365 users in financial institutions, which can bypass two-factor authentication (2FA). The observed targets were financial institutions, including banks, private funding firms, and credit union service providers across the EMEA and AMER regions.

The ONNX Store PhaaS is a well-organized and user-friendly platform that even allows phishers to bypass 2FA protection. Users can choose from different services and capabilities at different price levels, ranging from $150 for a basic service to $400 for a package that enables phishers to bypass 2FA.

The phishing lure used a relatively new trick: Embedding QR codes in PDF documents pretending to come from the target’s Human Resources (HR) department, often marked as a salary update or an employee handbook.

By using QR codes, the attackers hope to bypass protection in two ways. Firstly, spam filters may not recognize the contents of QR codes as malicious, or part of an attack chain, and secondly, the attack relies on the targeted user scanning the QR code with their mobile device. Many organizations lack detection or prevention capabilities on employees’ mobile devices, so this part of the attack is less likely to be blocked on mobile than on a desktop.

Scanning the QR code takes the victim to a phishing landing page disguised as a Microsoft 365 login. Behind the scenes, the server hosting the phishing site uses WebSockets for real-time interaction with the actual login page. This allows the phisher to capture the target’s username, password, and 2FA token on then fake site and then use them immediately on the real site, before the 2FA token expires. If the 2FA token fails for the phisher, the target is redirected and prompted to enter a new one.

To make targets feel safe, the phishing domains use domain mimicry (aka typosquatting) so the URL is very similar to the one the targets expect to see.

Furthermore, the ONNX Store phishing kit uses encrypted JavaScript code that decrypts itself during page load and includes a basic anti-JavaScript debugging feature. This reportedly helps to circumvent anti-phishing filters that are behavior-based.

Obviously, the phishers use bulletproof hosting services that advertise on underground forums with slogans like “we’ll ignore all abuse reports.”

The harvested credentials can be sold on the Dark Web or used by the phisher to access the email account of the target in order to find even more valuable information.

Red flags

When you work for financial institutions, you should be aware that you are an attractive target for phishers and other cybercriminals. So, when you receive an email, there are a few questions to quickly answer in your head:

• Should I open an unannounced and unverified attachment?
• Even if you’re hoping for a raise, ask yourself, “is this the normal procedure my company would follow?”
• Finally, if the email attachment contains a QR code, ask yourself why HR didn’t use a normal link.