A new phishing-as-a-service (PhaaS) platform named ‘Rockstar 2FA’ has emerged, enabling large-scale adversary-in-the-middle (AiTM) attacks to steal Microsoft 365 credentials. This service allows attackers to bypass multifactor authentication (MFA) by intercepting valid session cookies. Victims are directed to fake Microsoft 365 login pages, where their credentials are captured and forwarded to Microsoft’s legitimate service. The AiTM server then captures the session cookie sent back to the victim’s browser, granting attackers direct access to the account without needing the credentials again.
Rockstar 2FA is an evolution of the DadSec and Phoenix phishing kits from 2023. Since August 2024, it has gained popularity in the cybercrime community, selling for $200 for two weeks or $180 for API access renewal. The service boasts features like support for Microsoft 365, Hotmail, GoDaddy, and SSO; randomized source code and links to evade detection; Cloudflare Turnstile Captcha integration for victim screening; automated fully undetectable (FUD) attachments and links; a user-friendly admin panel with real-time logs and backup options; and multiple login page themes with automatic organization branding.
Since May 2024, over 5,000 phishing domains have been set up using Rockstar 2FA, facilitating various phishing operations. Campaigns often abuse legitimate email marketing platforms or compromised accounts to send malicious messages, employing lures like document-sharing notifications, IT department notices, password reset alerts, and payroll-related messages. To evade detection, these messages utilize QR codes, links from legitimate shortening services, and PDF attachments.
The emergence of Rockstar 2FA highlights the persistence of phishing operators, who continue to offer illicit services despite significant law enforcement operations targeting major PhaaS platforms. The accessibility of such tools at low costs poses a significant risk of large-scale effective phishing operations.
Source: Bleeping Computer
CyberCasta 
Leave a comment