Microsoft Takes Action Against Phishing-as-a-Service Platform

Microsoft seized 240 domains belonging to ONNX, a phishing-as-a-service platform that enabled its customers to target companies and individuals since 2017.

ONNX was the top adversary-in-the-middle (AitM) phishing service, according to Microsoft's "Digital Defense Report 2024," with a high volume of phishing messages during the first six months of this year. Millions of phishing emails targeted Microsoft 365 accounts each month, and Microsoft has apparently had enough.

ONNX promoted and sold phishing kits on Telegram using a subscription service model, which ranged from $150 to $550 a month.

"The fraudulent ONNX operation offered phishing kits designed to target a variety of companies across the technology sector, including Google, Dropbox, Rackspace, and Microsoft," Microsoft said in its statement.

The attacks themselves are controlled through Telegram bots and come with built-in, two-factor authentication (2FA) bypass mechanisms. As of late, QR code phishing, also known as quishing, has also been enabled, targeting financial firms' employees. ONNX uses bulletproof hosting services that allow delays in phishing domain takedowns, as well as encrypted JavaScript code that decrypts itself, all of which allows them to be highly effective in carrying out attacks and evading detection.

"While today's legal action will substantially hamper the fraudulent ONNX's operations, other providers will fill the void, and we expect threat actors will adapt their techniques in response," stated Steven Masada, assistant general counsel at Microsoft's Digital Crimes Unit. "However, taking action sends a strong message to those who choose to replicate our services to harm users online: we will proactively pursue remedies to protect our services and our customers and are continuously improving our technical and legal strategies to have greater impact."

A full list of the 240 domains that were seized is available online.