Friday, May 2, 2025
HomeCyber CrimeNew PhaaS Platform Lets Attackers Bypass Two-Factor Authentication

New PhaaS Platform Lets Attackers Bypass Two-Factor Authentication

Published on

SIEM as a Service

Follow Us on Google News

Several phishing campaign kits have been used widely by threat actors in the past. One popular PhaaS (Phishing-as-a-Platform) was Caffeine, which was first identified and reported by Mandiant researchers. 

MRxC0DER, an Arabic-speaking threat actor, developed and maintained the caffeine kit.

However, Caffeine has now been discovered to be rebranded as ONNX Store and is found to be managed independently, but the original developer is taking care of the Client support.

- Advertisement - Google News

Threat actors are currently using this new rebranded platform to target financial institutions through phishing emails.

Additionally, the ONNX store offers a user-friendly interface that can be accessed via Telegram bots.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

Further, it also has the capabilities to bypass 2FA mechanisms which will increase the success rate of business email compromise attacks.

PhaaS Platform Bypass 2FA

According to the reports shared with Cyber Security News, the phishing pages used in these campaigns resemble the original Microsoft 365 login page that will convince any unsuspecting user to enter their authentication credentials.

As a matter of fact, the rebranding specifically focused on improving operational security for threat actors and their services.

Overview of ONNX store (Source: EclecticIQ)

While Caffeine kit used a single shared web server for managing all the phishing campaigns, this new ONNX store allows threat actors to control their operations via Telegram bots and support is provided by a support channel. Some of the observed ONNX store channels and bots are

  • @ONNXIT: A Telegram user – manages support needs from clients. 
  • @ONNX2FA_bot: A Telegram bot for clients to receive 2FA codes from successful phishing operations. 
  • @ONNXNORMAL_bot: A Telegram bot for clients to receive Microsoft Office 365 login credentials. 
  • @ONNXWEBMAIL_bot: A Telegram bot for clients to control a Webmail server for sending phishing emails. 
  • @ONNXKITS_BOT: A Telegram bot for clients to make payments for ONNX Store services and track their orders. 

This is one hand of the channels and the bots, whereas the Services offered include: 

  • Microsoft Office 365 phishing template generation. 
  • Webmail service for sending phishing emails and using social engineering lures. 
  • Bulletproof hosting and RDP services for cybercriminals to manage their operations securely. 

Cloudflare To prevent Domain Shutdowns

In several instances, Law Enforcement fought against these cybercriminal operations that have resulted in domain shutdowns to prevent further activities.

However, this new setup uses Cloudflare to delay the takedown process of phishing domains, which provides features like anti-bot CAPTCHA to evade website scanner detections and IP proxying to hide the original hosting provider.

Cloudflare implementation (Source: EclecticIQ)

Further, the cost of different phishing tools is as follows:

  • Webmail Normal service ($150/Month): Offers customizable phishing pages and webmail server. 
  • Office 2FA Cookie Stealer ($400/Month): A phishing landing page that captures 2FA tokens and cookies from victims, featuring statistics, country blocking, and email grabbing. 
  • Office Normal package ($200/Month): Enables email credential harvesting capabilities without bypassing 2FA. 
  • Office Redirect Service ($200/Month): Advertised by ONNX Store as creating “Fully Undetectable (FUD) links”. This service exploits trusted domains, such as bing.com, to redirect victims into attacker controlled phishing landing pages. 
List of available options in ONNX Store (Source: EclecticIQ)

As added information, this new PhaaS platform also allows Quishing (QR-phishing) attacks in which threat actors distribute PDF documents via phishing emails that will contain a QR code. 

If these QR codes are scanned, it will redirect the victim to a phishing landing page. Further, most of the phishing emails impersonated reputable services like Adobe or Microsoft 365.

Encrypted JS Code To Evade Detection

Adding to its arsenal, this phishing kit also uses an encrypted Javascript code that will only decrypt when the page loads.

This prevents anti-phishing scanners from detecting these phishing domains. 

Once the JS code decrypts, third-party domains such as “httbin[.]org” and “ipapi[.]co” collect the victims’ network metadata, such as browser name, IP address, and location, before sending it to threat actors.

The encryption method also hides malicious scripts which follow the below approaches

  • Encoded string is decoded from base64
  • Every character of the decoded string is XORed with a character from the hardcoded key, cycling through the key for the decryption. 
  • The result is a decrypted string (JavaScript code), which is then executed by the browser. 

These hidden malicious scripts cannot be viewed during a casual inspection. However, if the key and the encrypted string are known, it can be decrypted easily.

However, the decrypted JS code was also designed to steal the 2FA token entered by the victims.

Bulletproof Hosting For Cybercriminals

The phishing domains registered have SSL certificates, which GTS CA 1P5 issued from Google Trust Services LLC.

Further, most of the registered domains were through NameSilo and EVILEMPIRE-AS.

Further, these bulletproof hosting services enabled cybercriminals an additional layer of anonymity.

Bulletproof hosting (Source: EclecticIQ)

In addition, there were services designed to support a wide range of illegal operations.

The advertisement on a Telegram group stated that the Bulletproof hosting was under development and they were adding RDP sessions.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Further, this new ONNX store is also mentioned to support multiple malicious campaigns with high-performance features using enhanced RAM, CPU, and SSD speeds and unlimited bandwidths.

Indicators Of Compromise

Phishing URLs  

  • authmicronlineonfication[.]com 
  • verify-office-outlook[.]com 
  • stream-verify-login[.]com 
  • zaq[.]gletber[.]com 
  • v744[.]r9gh2[.]com 
  • bsifinancial019[.]ssllst[.]cloud 
  • 473[.]kernam[.]com 
  • docusign[.]multiparteurope[.]com 
  • 56789iugtfrd5t69i9ei9die9di9eidy7u889[.]rhiltons[.]com 
  • agchoice[.]us-hindus[.]com 

Malicious PDF Files 

  • 432b1b688e21e43d2ccc68e040b3ecac4734b7d1d4356049f9e1297814627cb3 
  • 47b12127c3d1d2af24f6d230e8e86a7b0c661b4e70ba3b77a9beca4998a491ea 
  • 51fdaa65511e7c3a8d4d08af59d310a2ad8a18093ca8d3c817147d79a89f44a1 
  • f99b01620ef174bb48e22e54327ca9cffa4520868f49a41c524b81ab6d935070 
  • 52e04c615b08af10b4982506c1cee74cb062116d31f0300ed027f6efd3119b1a 
  • 3d58733b646431a60d39394be99ff083d6db3583796b503e8422baebed8d097e 
  • 702008cae9a145741e817e6c6566cd1d79c737d51b718f13a2d16d72a00cd5a7 
  • 908af49857b6f5d1e0384a5e6fc8ee53ca1df077601843ebdd7fc8a4db8bcb12 
  • d3b03f79cf1d088d2ed41e25c961e9945533aeabb93eac2d33ebc4b589ba6172 
  • 4751234ac4e1b0a5d4685b870de1ea1a7754258977f5d1d9534631c09c748732 
Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Managing Shadow IT Risks – CISO’s Practical Toolkit

Managing Shadow IT risks has become a critical challenge for Chief Information Security Officers...

Application Security In 2025 – CISO’s Priority Guide

Application security in 2025 has become a defining concern for every Chief Information Security...

Preparing for Quantum Cybersecurity Risks – CISO Insights

Quantum cybersecurity risks represent a paradigm shift in cybersecurity, demanding immediate attention from Chief...

Securing Digital Transformation – CISO’s Resource Hub

In today’s hyper-connected world, securing digital transformation is a technological upgrade and a fundamental...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Netgear EX6200 Flaw Enables Remote Access and Data Theft

Security researchers have disclosed three critical vulnerabilities in the Netgear EX6200 Wi-Fi range extender...

Tesla Model 3 VCSEC Vulnerability Lets Hackers Run Arbitrary Code

A high security flaw in Tesla’s Model 3 vehicles, disclosed at the 2025 Pwn2Own...

Apache ActiveMQ Vulnerability Lets Remote Hackers Execute Arbitrary Code

A high vulnerability in Apache ActiveMQ’s .NET Message Service (NMS) library has been uncovered,...