November 21, 2024 at 12:08PM
Microsoft and the Justice Department seized over 240 domains linked to ONNX, a phishing-as-a-service platform targeting thousands of victims globally since 2017. ONNX was the leading provider of phishing kits in 2024, enabling sophisticated attacks that bypassed security measures. Operations ceased after the owner’s identity was revealed.
### Meeting Takeaways
1. **Seizure of Phishing Domains**: Microsoft and the Justice Department have seized over 240 domains associated with ONNX, a phishing-as-a-service platform, which has targeted individuals and companies globally since 2017.
2. **Threat Landscape**: ONNX was identified as the leading provider of phishing services (Adversary in the Middle) in the first half of 2024, contributing to tens to hundreds of millions of phishing emails aimed at Microsoft 365 accounts and other tech firms.
3. **Phishing Kits**: The ONNX operation offered phishing kits through Telegram with subscription models ranging from $150 to $550 monthly. These kits were designed to target various tech companies, including Microsoft, Google, and Dropbox.
4. **attack Techniques**: Recent attacks included the use of QR code phishing (quashing), where malicious QR codes in PDF attachments lured victims into entering their credentials on fake login pages that resembled legitimate Microsoft 365 sites.
5. **QR Code Vulnerability**: Cybercriminals exploit the tendency of victims to scan QR codes on personal mobile devices, complicating detection efforts, particularly in environments with Bring Your Own Device (BYOD) policies.
6. **Security Evasion**: The phishing kits included features that helped bypass two-factor authentication (2FA) and utilized sophisticated techniques like encrypted JavaScript and bulletproof hosting to avoid detection by security measures.
7. **Disruption and Legal Actions**: The ONNX operation ceased in June 2024 following the identification and disclosure of its owner, Abanoub Nady. A civil court order has redirected the malicious infrastructure to Microsoft, effectively ending the use of these domains for phishing.
8. **Collaborative Efforts**: Microsoft’s initiative involved cooperation with the Linux Foundation, the trademark owner of the ONNX name, to enhance customer protection and deter future cybercrime.
9. **Broader Cybersecurity Actions**: In addition to ONNX, Microsoft has also targeted other cyber threats, including disrupting Russian hackers’ infrastructure and previous actions against a major cybercrime provider, Storm-1152.
These key takeaways reflect ongoing cybersecurity challenges and the coordinated responses to mitigate phishing threats, highlighting the importance of vigilance and adaptation in security practices.