The new Phishing-as-a-Service platform Rockstar 2FA is attempting to gain access to Microsoft 365 accounts. The campaign lures victims to a page resembling an authentic Microsoft 365 login screen. There, users are tricked into entering their username and password.
In doing so, Rockstar 2FA uses Adversary-in-the-Middle (AiTM) techniques. AiTM techniques allow bypassing multi-factor authentication (MFA) by intercepting session cookies. An AiTM server acts as a proxy, sending the login credentials to a legitimate Microsoft service to complete the authentication process. It then steals the session cookie, which is sent back to the browser. This cookie gives the attackers access to the user account even if MFA is enabled. Even the login credentials are no longer needed.
Spread
Phishing campaigns are spread through compromised services, such as email marketing platforms. Because these services are considered trustworthy, the campaign looks more professional. Phishing emails often contain convincing fake messages. Think about notifications about shared documents, IT department alerts, password recovery requests, or payroll-related notifications.
Rockstar 2FA appears to have successfully accessed Microsoft 365 accounts for months. The platform is an updated version of previous campaigns, such as DadSec and Phoenix, which were especially effective in 2023. According to data from Trustwave, Rockstar 2FA saw its first major wave of victims in May. After peaking in August, the number of attacks remains high in October.
Tip: Phishing practices evolved: lateral phishing is latest threat