Description

A newly discovered phishing-as-a-service (PhaaS) tool called "Rockstar 2FA" is facilitating large-scale adversary-in-the-middle (AiTM) attacks aimed at stealing Microsoft 365 login credentials. This tool enables attackers to circumvent multifactor authentication (MFA) by intercepting valid session cookies. The attack begins when victims are tricked into visiting a fake Microsoft 365 login page, where they unknowingly enter their credentials. The AiTM server then transmits these details to Microsoft's legitimate site to complete the login process. Once the session cookie is generated and sent back to the victim’s browser, the attacker captures it. This allows them to access the victim’s account directly, bypassing MFA without needing the original login information. Rockstar 2FA is an advanced version of the DadSec and Phoenix phishing kits that gained traction in 2023. It has become increasingly popular since August 2024, with a price of $200 for two weeks or $180 for API renewal. Promoted on Telegram, the service supports platforms such as Microsoft 365, Hotmail, GoDaddy, and single sign-on (SSO) services. It also features obfuscated code to avoid detection, Cloudflare Turnstile Captcha for bot filtering, automated FUD (fully undetectable) attachments, a user-friendly dashboard, real-time logging, and options for custom branding. Since May 2024, more than 5,000 phishing domains have been created using this tool. Attackers often rely on compromised email accounts or legitimate marketing platforms to distribute phishing emails. Common lures include document-sharing notifications, IT alerts, and password reset requests. Techniques to evade detection, such as QR codes, URL shorteners, and malicious PDF attachments, are frequently employed. The rise of Rockstar 2FA underscores the ongoing threat of phishing campaigns, with its affordability making it accessible to a wide range of cybercriminals, despite recent law enforcement crackdowns on similar services.