Beware: New Rockstar 2FA Phishing Scheme Aims at Microsoft 365 Users!

A new phishing-as-a-service (PhaaS) platform called ‘Rockstar 2FA’ has surfaced, enabling extensive adversary-in-the-middle (AiTM) attacks aimed at pilfering Microsoft 365 credentials.

Similar to other AiTM services, Rockstar 2FA allows cybercriminals to circumvent multifactor authentication (MFA) safeguards on targeted accounts by capturing valid session cookies. The modus operandi involves directing victims to a counterfeit login page that closely resembles the official Microsoft 365 interface, tricking them into inputting their login details.

In this scheme, the AiTM server functions as an intermediary, relaying the stolen credentials to Microsoft’s genuine service for authentication. Once authenticated, it captures the session cookie sent back to the victim’s browser. This cookie grants attackers direct access to the victim’s account without needing their actual credentials—even if MFA is enabled.

Emergence of Rockstar 2FA

According to Trustwave reports, Rockstar 2FA is an evolved version of earlier phishing kits known as DadSec and Phoenix that gained popularity in early and late 2023 respectively. Since its introduction in August 2024, this service has rapidly gained traction within cybercriminal circles and is available for $200 for a two-week subscription or $180 for API access renewal.

Promoted primarily through Telegram and similar platforms, Rockstar 2FA boasts an impressive array of features:

• Compatibility with Microsoft 365, Hotmail, GoDaddy accounts
• Randomized source code and links designed to evade detection
• Integration with Cloudflare Turnstile Captcha for filtering potential victims
• Automated FUD (Fully UnDetectable) attachments and links
• An intuitive admin panel offering real-time logs and backup capabilities
• Multiple customizable login page themes featuring automatic branding options

Since May 2024 alone, over 5,000 phishing domains have been established under this service umbrella—facilitating numerous phishing campaigns targeting unsuspecting users.

Tactics Employed by Cybercriminals

The researchers noted that many related phishing campaigns exploit legitimate email marketing platforms or compromised accounts to distribute malicious communications. These messages often employ various lures such as notifications about document sharing or alerts from IT departments regarding password resets or payroll issues.

Trustwave highlights that these deceptive emails utilize several evasion techniques including QR codes linked from reputable shortening services along with PDF attachments designed not only to entice but also bypass security filters effectively.

To further enhance their operations’ success rate against automated defenses like bots or security researchers attempting reconnaissance on these schemes; a Cloudflare turnstile challenge is employed before directing valid targets toward a fraudulent Microsoft 365 login page. If deemed suspicious—such as being identified as a bot—the visitor will be redirected instead towards an innocuous car-themed decoy webpage.

The JavaScript embedded within this landing page determines whether visitors are shown either the fraudulent site or harmless decoy based on evaluations made by the AiTM server regarding user behavior patterns observed during initial interactions with it.

Ongoing Threat Landscape

The rise of Rockstar 2FA underscores how persistent phishing operators remain despite significant law enforcement efforts aimed at dismantling major PhaaS platforms recently; one operation led directly resulted in over 37 arrests linked directly back those involved running one of largest networks ever discovered according reports from BleepingComputer.com .

As long these illicit tools remain readily accessible at low costs within underground markets catering specifically towards cybercriminals; organizations must stay vigilant against large-scale effective phishing attempts which continue pose serious risks across digital landscapes today .