Organizations in the financial sector had their employees' Microsoft 365 accounts targeted with an attack campaign involving the novel ONNX phishing-as-a-service platform, which is believed to be a rebrand of the Caffeine phishing kit, since February, BleepingComputer reports.
Attackers impersonated human resources departments in malicious emails purporting to be about salary updates containing PDF attachments with QR codes, which when scanned redirect targets to fake Microsoft 365 login pages without being flagged by phishing protections, according to a report from EcleticIQ. Inputted login credentials and two-factor authentication tokens on the phishing page are then exfiltrated by attackers, who will then leverage the data to facilitate email account hijacking and data theft activities. Aside from featuring customizable Microsoft Office 365 phishing templates and an array of webmail services, the ONNX PhaaS platform — which is operated via Telegram — also ensured detection evasion through the utilization of encrypted JavaScript code, Cloudflare services, and a bulletproof hosting service, said researchers.