HQ/EMEAFind out how we can help your business
Rockstar 2FA, a newly discovered phishing-as-a-service (PhaaS) platform, poses a massive threat to Microsoft 365 credentials, enabling threat actors to execute large-scale adversary-in-the-middle (AiTM) attacks.
Reports revealed that this new tool could allow attackers to use the AiTM campaign to bypass multifactor authentication (MFA) restrictions on targeted accounts by intercepting legitimate session cookies.
These attacks work by redirecting victims to a bogus login page that looks like Microsoft 365 and deceiving them into entering their credentials. The AiTM server serves as a proxy, transmitting the credentials to Microsoft’s legitimate service to complete the authentication procedure and then capturing the cookie as it is returned to a target’s browser.
Next, the threat actors can utilise this cookie to acquire direct access to the victim’s account, even if it employs MFA, without the threat actor having to provide any credentials.
Rockstar 2FA is an alleged upgraded version of a couple of phishing kits.
According to investigations, the new Rockstar 2FA is an improved version of the DadSec and Phoenix phishing kits. The platform gained prominence among cybercriminals in August 2024, as its prices range from $200 for two weeks to $180 for API access renewal.
The researchers noted that the phishing attempts associated with RockStar 2FA used legal email marketing platforms or hijacked accounts to send harmful messages to targets. The messages include various lures, such as password reset alerts, IT department notices, document-sharing notifications, and payroll-related messages.
The researchers claim these messages use various block evasion methods, including QR codes, URLs from legal shortening sites, and PDF attachments. In addition, the PhaaS operators in the recent attacks use a Cloudflare turnstile challenge to filter out bots, and the assault most likely involves IP checks before redirecting valid targets to a Microsoft 365 login phishing page.
If the visitor is identified as a bot, security researcher, or an untargeted entity, the attack procedure will direct them to a harmless car-themed decoy page. The landing page’s JavaScript is decrypted and depending on the AiTM server’s evaluation of the visitor, it gets either the phishing page or the car-themed decoy.
The sudden emergence of Rockstar 2FA shows how the phishing operators innovate their attack process and overall capabilities. Therefore, users and organisations should be knowledgeable about these threats to avoid becoming one of the increasing victims of such malicious operations.
