Phishing-as-a-Service through Telegram bot (2024)

Researchers have discovered a phishing marketplace called ONNX Store, which gives cybercriminals access to tools for hijacking Microsoft 365 accounts, including a means for bypassing two-factor authentication (2FA). This enables threat actors to crank out phishing attacks on both Microsoft 365 and Office 365 email accounts. Corporate information security teams should be aware of this threat and tool up with anti-phishing protection. Let’s take a closer look at the danger…

A malicious attachment with a QR code and 2FA bypass

The researchers’ report describes an attack using ONNX Store phishing tools that targets employees of several financial institutions. First, the victims receive emails seemingly from their HR departments on the topic of remuneration as bait.

The emails contain PDF attachments containing a QR code to be scanned in order to gain access to a “secure document” with “vital information” about the recipient’s salary. The idea here is to get the victim to open the link not on a work computer — which most likely has anti-phishing protection, but on a personal smartphone — which may well not.

The link opens a phishing site mimicking a Microsoft 365 login page. Here, the victim is asked to enter their username and password, followed by a one-time 2FA code.

All of this information of course goes straight to the attackers. One-time 2FA codes usually have a very short lifespan — often just 30 seconds. Therefore, to speed up delivery of information, the phishing kit uses the WebSocket protocol, which provides real-time communication.

Armed with the stolen credentials and still-valid code, the attackers immediately log in to the account and gain full access to the victim’s correspondence. This access can then be exploited for business email compromise (BEC) and other attacks.

Phishing-as-a-service: plenty of phish in the sea

The hub of this phishing operation is the Telegram instant messenger. ONNX Store embraces automation to the fullest — all interaction with users is through Telegram bots.

Its creators provide phishing services on a subscription basis. The prices are quite low: for example, a monthly subscription for harvesting Microsoft 365 account passwords would cost a potential attacker $200 without a 2FA bypass — $400 with it.

Even small-time cybercriminals can afford that. For this modest investment, they get access to a set of finely-tuned phishing tools. All they have to do is to select an attackable target and devise a monetization scheme.

How to protect your organization against advanced phishing

It’s the low-entry threshold that makes the phishing-as-a-service model such a threat: the circle of cybercriminals with dangerous tools at their disposal becomes much wider. Therefore, we strongly advise that you take preemptive measures against an advanced phishing attack on your organization. Here’s what we recommend:

• Consider using FIDO U2F hardware tokens (also known as YubiKeys) or passkeys for 2FA. These tools negate even the most sophisticated covert phishing attacks.
• Deploy a reliable security solution with anti-phishing protection on all corporate devices, including smartphones and tablets.
• Conduct regular security-awareness training to train employees to recognize and deal with suspicious emails. Our interactive Kaspersky Automated Security Awareness Platform provides everything you need on this and more.