Security Intelligence
Loading table of contents...
A new phishing-as-a-service (PhaaS) platform, called Rockstar 2FA, has been observed targeting Microsoft 365 user accounts with adversary-in-the-middle (AiTM) attacks.
The attack chain begins with a phishing email designed to appear as document-sharing notifications, IT department notices, password reset alerts, and payroll-related messages. When a target clicks on the link, they are prompted with a seemingly legitimate M365 login request.
When the unsuspecting target submits their M365 credentials, the fake site acts as a proxy and forwards the credentials to Microsoft’s legitimate authentication service to complete the authentication process. As a result, the threat actor then captures the cookie returned by Microsoft which can be used to log directly into the victim’s account, regardless of if multifactor authentication (MFA) is enabled.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
Rockstar 2FA phishing sites are equipped with a Cloudflare Turnstile Captcha and JavaScript that redirects connection attempts from cybersecurity analysts, bots, and out-of-scope targets to a car-themed decoy website.
For $380 per month, Rockstar 2FA provides its clients with access to nearly 5,000 well-crafted fake login pages with an embedded AiTM feature that captures victims’ authentication tokens to bypass MFA controls.
Source: Bleeping Computer
Analysis
PhaaS kits such as Rockstar 2FA allow threat actors with limited technical skill and experience to engage in sophisticated phishing activities when they otherwise wouldn’t have had the capability to do so. The kits effectively turn the average criminal into a cybercriminal overnight, representing a significant threat to organizations and individuals worldwide.
Aspiring phishers have a variety of PhaaS kits to choose from. For example, in October 2024, a similar PhaaS known as Mamba 2FA was also observed targeting M365 accounts with AiTM attacks.
Fortunately, phishing is a well-known attack vector and can be mitigated by implementing a combination of administrative security controls, such as phishing awareness training, with technical security controls, such as automatic scanning and URL stripping.
In most cases, the difference between being compromised or not comes down to the recipient of the phishing email and whether they have the awareness not to fall victim to it.
Mitigation
Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for threats to M365 user accounts. Field Effect MDR users are automatically notified when their M365 accounts are accessed from suspicious IP addresses, ISPs, or geographical areas, and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect users are encouraged to submit suspicious emails to Field Effect’s Suspicious Email Analysis Service (SEAS) to ensure they are benign before clicking links or opening an attachment.
