Telegram Bot Selling Phishing Tools to Bypass 2FA & Hack Microsoft 365 Accounts

A newly discovered phishing marketplace, ONNX Store, empowers cybercriminals to launch sophisticated attacks against Microsoft 365 and Office 365 environments. The platform provides tools to circumvent robust 2FA safeguards, enabling threat actors to compromise accounts with increased efficiency. 

Corporate security teams must prioritize anti-phishing defenses to mitigate the risk of successful attacks, data breaches, and financial loss resulting from this advanced threat. 

Cybercriminals are leveraging ONNX Store phishing tools to target financial institutions. The attack vector involves deceptive emails disguised as HR communications about remuneration, enticing victims to open attached PDFs containing malicious QR codes. 

Scanning these codes redirects users to phishing sites designed to mimic legitimate login pages, enabling attackers to steal credentials and bypass 2FA, granting unauthorized access to sensitive systems. 

A phishing attack leverages email with a PDF attachment containing a QR code, enticing victims to scan it for supposed “vital salary information,” which redirects users to a fraudulent Microsoft 365 login page designed to harvest credentials and 2FA codes. 

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

By targeting personal smartphones, the attack circumvents potential corporate anti-phishing defenses, increasing the likelihood of successful credential theft. 

The attacks leverage WebSocket’s real-time communication to rapidly exfiltrate stolen credentials and one-time 2FA codes, while attackers embed phishing kits within malicious emails to deceive victims into revealing sensitive information. 

According to Kaspersky, upon successful credential capture, the WebSocket protocol swiftly transmits the data to the attacker’s infrastructure. 

With immediate access to both credentials and a valid 2FA code, attackers can promptly infiltrate victim accounts, compromising email correspondence and enabling subsequent attacks like Business Email Compromise (BEC). 

ONNX Store operates a phishing-as-a-service platform centered on Telegram, employing bots to automate all user interactions. 

This infrastructure leverages Telegram as a command-and-control hub for phishing campaigns, streamlining the distribution of phishing kits and the management of compromised accounts through automated processes. 

Cybercriminals can now outsource phishing attacks by subscribing to specialized services, which offer a range of tools and infrastructure for crafting and executing phishing campaigns at low costs. 

Subscribers gain access to pre-engineered phishing kits targeting specific platforms like Microsoft 365, including options to bypass two-factor authentication, which lowers the barrier of entry for cybercriminals, enabling even low-level actors to launch sophisticated attacks and monetize stolen credentials. 

To mitigate advanced phishing risks, implement FIDO U2F hardware tokens or passkeys for robust 2FA, deploy comprehensive security solutions with anti-phishing capabilities across all devices, and conduct regular, interactive security awareness training to enhance employee vigilance against sophisticated phishing tactics. 

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download