The phishing-as-a-service platform ONNX Store targets Microsoft 365 accounts used by employees in financial institutions. The platform utilizes malicious QR codes embedded within PDF attachments to bypass security measures. When scanned with a mobile device, the QR code directs victims to a fake Microsoft 365 login page designed to capture login credentials and two-factor authentication tokens.
Researchers believe ONNX Store may be a rebranded version of an earlier phishing kit. They observed the platform targeting financial institutions in February 2024, with phishing emails impersonating HR departments and using salary updates as bait.
From the attacker’s perspective, ONNX Store offers a user-friendly platform with features like customizable phishing templates, encrypted code for evasion, and bulletproof hosting to avoid takedowns. Subscription tiers range from $150 to $400 per month and offer varying levels of functionality, including the ability to steal 2FA cookies.
This sophisticated phishing campaign poses a significant threat to financial institutions. Organizations can defend themselves by blocking suspicious attachments, implementing stricter website certificate validation, and deploying hardware security keys for privileged accounts.
Reference:
