Microsoft 365 Faces New Threat: Rockstar 2FA Phishing Service. Here is what to know.

A new phishing-as-a-service (PhaaS) platform named Rockstar 2FA has emerged, facilitating large-scale adversary-in-the-middle (AiTM) attacks to steal Microsoft 365 credentials. Like other AiTM platforms, Rockstar 2FA enables attackers to bypass multifactor authentication (MFA) protections on targeted accounts by intercepting valid session cookies.

How the Attacks Work

These attacks work by directing victims to a fake login page that mimics Microsoft 365 and tricking them into entering their credentials. The AiTM server acts as a proxy, forwarding those credentials to Microsoft’s legitimate service to complete the authentication process and then captures the cookie when it is sent back to the target’s browser. This cookie can then be used by the threat actors for direct access to the victim’s account, even if it’s MFA protected, with the threat actor not needing the credentials at all.

Evolution and Popularity

Trustwave reports that Rockstar 2FA is actually an updated version of the phishing kits DadSec and Phoenix, which gained traction in early and late 2023 respectively. The researchers say Rockstar 2FA has gained significant popularity in the cybercrime community since August 2024, selling for $200 for two weeks or $180 for API access renewal. The service is promoted on Telegram, among other places, boasting a long list of features like the setup of over 5,000 phishing domains since May 2024, facilitating various phishing operations.

Methods of Dissemination

The related phishing campaigns abuse legitimate email marketing platforms or compromised accounts for disseminating malicious messages to targets.

These messages use a variety of lures, including document-sharing notifications, IT department notices, password reset alerts, and payroll-related messages.

The messages utilize a range of block evasion methods including QR codes, inclusion of links from legitimate shortening services, and PDF attachments.

A Cloudflare turnstile challenge is used to filter out bots, while the attack also likely includes IP checks before valid targets are directed to a Microsoft 365 login phishing page.

If the visitor is deemed a bot, security researcher, or an out-of-scope target in general, they are redirected to a harmless car-themed decoy page instead.

Technical Execution

The JavaScript on the landing page decrypts and retrieves either the phishing page or the car-themed decoy based on the AiTM server’s evaluation of the visitor.

The emergence and proliferation of Rockstar 2FA reflect the persistence of phishing operators, who continue to offer illicit services despite significant law enforcement operations taking down one of the largest PhaaS platforms recently and arresting its operators.

As long as these commodity tools continue to be accessible for cybercriminals at a low cost, the risk of large-scale effective phishing operations remains significant.

Conclusion

This new threat highlights the importance of staying vigilant and adopting robust security measures to protect against such sophisticated phishing attacks. Users are advised to be cautious of suspicious emails and to verify the authenticity of login pages before entering their credentials.

---

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it