Telegram Bot Selling Phishing Tools to Bypass 2FA & Hack Microsoft 365 Accounts

A newly discovered phishing marketplace, ONNX Store, empowers cybercriminals to launch sophisticated attacks against Microsoft 365 and Office 365 environments. The platform provides tools to circumvent robust 2FA safeguards, enabling threat actors to compromise accounts with increased efficiency. 

Corporate security teams must prioritize anti-phishing defenses to mitigate the risk of successful attacks, data breaches, and financial loss resulting from this advanced threat. 

Cybercriminals are leveraging ONNX Store phishing tools to target financial institutions. The attack vector involves deceptive emails disguised as HR communications about remuneration, enticing victims to open attached PDFs containing malicious QR codes. 

Scanning these codes redirects users to phishing sites designed to mimic legitimate login pages, enabling attackers to steal credentials and bypass 2FA, granting unauthorized access to sensitive systems. 

The fake Microsoft login page prompts victims to enter their credentials and a one-time 2FA code.

A phishing attack leverages email with a PDF attachment containing a QR code, enticing victims to scan it for supposed “vital salary information,” which redirects users to a fraudulent Microsoft 365 login page designed to harvest credentials and 2FA codes. 

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

By targeting personal smartphones, the attack circumvents potential corporate anti-phishing defenses, increasing the likelihood of successful credential theft. 

The attacks leverage WebSocket’s real-time communication to rapidly exfiltrate stolen credentials and one-time 2FA codes, while attackers embed phishing kits within malicious emails to deceive victims into revealing sensitive information. 

According to Kaspersky, upon successful credential capture, the WebSocket protocol swiftly transmits the data to the attacker’s infrastructure. 

With immediate access to both credentials and a valid 2FA code, attackers can promptly infiltrate victim accounts, compromising email correspondence and enabling subsequent attacks like Business Email Compromise (BEC). 

ONNX Store operates a phishing-as-a-service platform centered on Telegram, employing bots to automate all user interactions. 

This infrastructure leverages Telegram as a command-and-control hub for phishing campaigns, streamlining the distribution of phishing kits and the management of compromised accounts through automated processes. 

Cybercriminals can now outsource phishing attacks by subscribing to specialized services, which offer a range of tools and infrastructure for crafting and executing phishing campaigns at low costs. 

Subscribers gain access to pre-engineered phishing kits targeting specific platforms like Microsoft 365, including options to bypass two-factor authentication, which lowers the barrier of entry for cybercriminals, enabling even low-level actors to launch sophisticated attacks and monetize stolen credentials. 

To mitigate advanced phishing risks, implement FIDO U2F hardware tokens or passkeys for robust 2FA, deploy comprehensive security solutions with anti-phishing capabilities across all devices, and conduct regular, interactive security awareness training to enhance employee vigilance against sophisticated phishing tactics. 

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download

Kaaviya

Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Recent Posts

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

13 hours ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

1 day ago

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…

1 day ago

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store, which…

1 day ago

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target employees…

1 day ago

New Python NodeStealer Attacking Facebook Business To Steal Login Credentials

NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that targets…

1 day ago