Cybersecurity researchers have flagged a phishing-as-a-service (PhaaS) toolkit called Rockstar 2FA, which is being actively used to steal Microsoft 365 credentials. This advanced phishing campaign is capable of bypassing multi-factor authentication (MFA) through an adversary-in-the-middle (AiTM) attack, exposing users to potential compromise.
According to Trustwave researchers Diana Solomon and John Kevin Adriano, this campaign highlights the growing sophistication of phishing attacks, as even accounts with MFA enabled are not immune.
What is Rockstar 2FA?
Rockstar 2FA is an updated version of the DadSec (Phoenix) phishing kit, tracked by Microsoft under the moniker Storm-1575. It is a subscription-based PhaaS platform that offers cybercriminals tools to launch large-scale phishing campaigns.
Key Features:
- MFA bypass using session cookie harvesting.
- Integration with Telegram bots for stolen credential delivery.
- Antibot protection through Cloudflare Turnstile.
- Fully Undetectable (FUD) phishing links.
- Customizable login page themes mimicking popular services like Microsoft, Google, and others.
- User-friendly admin panel for campaign management.
The platform is marketed on underground forums like Telegram, ICQ, and Mail.ru, with subscription plans priced at $200 for two weeks or $350 for a month.
How the Campaign Works
The Rockstar 2FA toolkit uses various initial access vectors, such as:
- Embedded URLs, QR codes, and document attachments in emails.
- Legitimate link redirectors like Atlassian Confluence, Google Docs Viewer, and Microsoft Dynamics 365 Customer Voice to bypass antispam detection.
These phishing campaigns often impersonate trusted services to trick users into entering their credentials on fake login pages. The phishing pages closely resemble genuine sign-in pages, ensuring minimal suspicion.
Technical Process:
- The attacker sets up a phishing page using Rockstar 2FA.
- Victims are lured via malicious emails, e-signature requests, or file-sharing notifications.
- Users enter their credentials on the phishing page, which transmits the data to an AiTM server.
- Session cookies are intercepted, allowing attackers to bypass MFA and gain full account access.
Broader Threat Landscape
In a related disclosure, Malwarebytes identified a phishing campaign called Beluga, which uses .HTM attachments to steal credentials from Microsoft OneDrive users. Similarly, Group-IB CERT uncovered scams promoting fake betting games and financial apps designed to steal money and sensitive information.
Examples of Recent Phishing Tactics:
- Fake login forms: Deceptive pages mimic legitimate services like Microsoft OneDrive and Atlassian.
- Adware apps: Disguised as betting games, they steal personal data while promising quick financial returns.
- Telegram integration: Stolen credentials are often exfiltrated directly to attackers via bots.
How to Protect Yourself
- Enable Modern MFA Solutions: Use FIDO2-compliant hardware keys or app-based MFA for stronger protection.
- Beware of Suspicious Emails: Avoid clicking on links or opening attachments from unverified sources.
- Inspect URLs Carefully: Ensure that login pages are secure and hosted on trusted domains.
- Implement Email Filtering Solutions: Use tools to detect and block phishing emails.
- Educate Users: Conduct regular cybersecurity training to identify phishing attempts.
The emergence of advanced phishing toolkits like Rockstar 2FA demonstrates the evolving nature of cyber threats. By leveraging AiTM techniques and bypassing MFA, attackers are raising the stakes in phishing campaigns. Organizations must stay vigilant and adopt robust security measures to defend against these sophisticated attacks.