June 19, 2024 at 01:29PM
A phishing-as-a-service operation is targeting financial firms using advanced tactics such as 2FA bypass, QR codes, and typosquatting to compromise Microsoft 365 accounts. The origin of the campaign was traced to a platform called ONNX Store, which operates through Telegram bots. Countermeasures include blocking unverified PDF and HTML attachments, implementing DNSSEC to protect against typosquatting, and using FIDO2 hardware security keys for 2FA.
From the meeting notes, it is clear that a sophisticated phishing operation, known as ONNX Store, has been identified as targeting financial firms, using advanced evasion tactics such as two-factor authentication (2FA) bypass, QR codes, and typosquatting to maximize success. The use of QR codes in phishing attacks, particularly to bypass endpoint detection, has been highlighted as a significant challenge for organizations to monitor threats effectively.
Furthermore, the phishing kit used by ONXX Store includes malicious techniques such as encrypted JavaScript code to steal 2FA tokens and implement anti-detection measures, making it a highly sophisticated and efficient operation. The adoption of multifactor authentication (MFA) bypasses and learning from other phishing operators, such as Tycoon, further underscores the evolving and adaptive nature of the malicious tactics being employed.
To mitigate the specific tactics used by ONNX Store, security measures have been provided, such as implementing DNSSEC to combat typosquatted domains, educating employees on the risks associated with scanning QR codes from unknown sources, and using security monitoring tools to detect unusual behavior.
Overall, the clear takeaways from the meeting notes include the need for financial firms to be vigilant against sophisticated phishing attacks, implement effective security measures, and provide thorough employee training to combat the evolving threat landscape posed by operations like ONNX Store.