'ONNX' MFA Bypass Targets Microsoft 365 Accounts

A highly organized phishing-as-a-service operation (PhaaS) is targeting Microsoft 365 accounts across financial firms with business email compromise (BEC) attacks that leverage a two-factor authentication (2FA) bypass, QR codes, and other advanced evasion tactics to maximize success, researchers have found.

Security analysts from EclecticIQ in February discovered a broad phishing campaign targeting financial institutions, in which threat actors used embedded QR codes in PDF attachments to redirect victims to phishing URLs, according to a blog post published June 18. Specific organizations targeted included banks, private funding firms, and credit union service providers across the Americas and Europe, Middle East and Africa (EMEA) regions.

EclecticIQ eventually tracked the origin of the campaign to a PhaaS platform called ONNX Store, "which operates through a user-friendly interface accessible via Telegram bots," Eclectic IQ threat intelligence analyst Arda Büyükkaya wrote in the post.

A key part of the ONNX service is a 2FA bypass mechanism that intercepts 2FA requests from victims using encrypted JavaScript code, to decrease the likelihood of detection and bolster the success rate of attacks, Büyükkaya noted. Moreover, the phishing pages delivered in the attacks use typosquatting to closely resemble Microsoft 365 login interfaces, making them more likely to trick targets into entering their authentication details.

Snapshot of an ONNX Attack

A typical email used in the attack shows a threat actor purporting to send the employee a human resources-related PDF document, such as an employee handbook or a salary remittance slip. The document impersonates Adobe or Microsoft 365 to try to trick a recipient into opening the attachment via a QR code that, once scanned, directs victims to a phishing landing page.

The use of QR codes is an increasingly common tactic for evading endpoint detection, Büyükkaya noted: "Since QR codes are typically scanned by mobile phones, many organizations lack detection or prevention capabilities on employees' mobile devices, making it challenging to monitor these threats."

The attacker-controlled landing page is designed to steal login credentials and 2FA authentication codes using the adversary-in-the-middle (AitM) method, analysts found.

"When victims enter their credentials, the phishing server collects the stolen information via WebSockets protocol, which allows real-time, two-way communication between the user's browser and the server," Büyükkaya wrote. In this way, attackers can quickly capture and transmit stolen data without the need for frequent HTTP requests, making the phishing operation more efficient and harder to detect, he noted.

Another PhaaS operator, Tycoon, also has used a similar AitM technique and a multifactor authentication (MFA) bypass involving a Cloudflare CAPTCHA, demonstrating how malicious actors are learning from each other and adapting strategies accordingly, Büyükkaya said.

ONNX also shares overlap in both Telegram infrastructure and advertising methods with a phishing kit called Caffeine (first discovered by researchers at Mandiant in 2022), the researchers found — so it could be a rebranding of that operation, according to ElecticIQ.

Another scenario is that the Arabic-speaking threat actor MRxC0DER, who is believed to have developed and maintained Caffeine, is providing client support to the ONNX Store, while the broader operation "is likely managed independently by a new entity without central management," Büyükkaya wrote.

JavaScript Encryption Adds Level of Evasion

Another anti-detection measure in the ONNX phishing kit is the use of encrypted JavaScript code that decrypts itself during page load, and includes a basic anti-JavaScript debugging feature. "This adds a layer of protection against anti-phishing scanners and complicates analysis," according to the analysis.

EclecticIQ researchers observed a functionality in the decrypted JavaScript code that's specifically designed to steal 2FA tokens entered by the victims and relay them to the attacker, who then uses the stolen credentials and tokens in real time to log in to Microsoft 365.

"This real-time relay of credentials allows the attacker to gain unauthorized access to the victim's account before the 2FA token expires, circumventing multifactor authentication," Büyükkaya wrote.

Mitigating and Preventing ONNX Phishing Attacks

ElecticIQ provided countermeasures for combatting specific tactics used by ONNX Store. To mitigate threats from embedded QR codes in PDF documents, organizations should block PDF or HTML attachments from unverified external sources in email server settings. They also can educate employees on the risks associated with scanning QR codes from unknown sources.

To combat the typosquatted domains used by the threat actor to impersonate Microsoft, organizations can implement domain name system security extensions (DNSSEC), which protects domains from multiple cyber threats, including typosquatting.

There are also measures that defenders can take to combat the theft of 2FA tokens, such as implementing FIDO2 hardware security keys for 2FA; setting a short expiration time for login tokens that limits a cyberattacker's window of opportunity to use them; and using security monitoring tools to detect and alert for any unusual behavior, such as multiple failed login attempts or logins from unusual locations.