June 18, 2024 at 04:29PM
ONNX Store, a phishing-as-a-service platform, targets Microsoft 365 and Office 365 accounts with PDF attachments containing QR codes. It bypasses 2FA, capturing login credentials and tokens, and provides a range of subscription tiers with customizable features. EclecticIQ recommends security measures to mitigate the threat’s impact. The platform poses a significant danger to financial firms.
Based on the meeting notes, here are the key takeaways:
1. There is a new phishing-as-a-service (PhaaS) platform called ONNX Store targeting Microsoft 365 and Office 365 email accounts, utilizing QR codes in PDF attachments to bypass 2FA and phish login credentials.
2. ONNX is suspected to be a rebranded version of the Caffeine phishing kit, previously attributed to the Arabic-speaking threat actor MRxC0DER.
3. ONNX attacks have been observed in February 2024, targeting employees at banks, credit union service providers, and private funding firms. Phishing emails impersonate HR departments and use salary updates as lures to distribute malicious QR codes.
4. Scanning the QR code on a mobile device leads victims to phishing pages that mimic legitimate Microsoft 365 login interfaces, capturing login credentials and 2FA tokens in real-time.
5. ONNX is a robust phishing platform with customizable templates, encrypted JavaScript code, use of Cloudflare services, bulletproof hosting, and four subscription tiers offering various features.
6. To protect against ONNX’s sophisticated phishing attacks, admins are recommended to block PDF and HTML attachments from unverified sources, block access to HTTPS websites with untrusted or expired certificates, and set up FIDO2 hardware security keys for high-risk, privileged accounts.
7. EclecticIQ has shared YARA rules in its report to help detect malicious PDF files containing QR codes leading to phishing URLs.
These takeaways provide a clear understanding of the new ONNX phishing platform and the recommended measures to safeguard against its malicious activities.