Full Report
The kits, which the company said were a sophisticated approach to bypassing multifactor authentication, pose a particular threat to the financial services sector. The post Microsoft seizes websites tied to Egypt-based DIY phishing kit-maker appeared first on CyberScoop.
Analysis Summary
# Threat Actor: DIY Phishing Kit Seller (MRxC0DER/ONNX)
## Attribution & Identity
* **Primary Identifier:** Abanoub Nady
* **Online Alias:** MRxC0DER
* **Attribution:** Egypt-based seller.
* **Associated Groups/Services:** Sold services under the brand name **ONNX**. Previously associated with the defunct "Caffeine" phishing-as-a-service offering. Co-plaintiff in the legal action included the **Linux Foundation** (regarding the ONNX trademark).
## Activity Summary
The individual/entity was identified as a seller of Do-It-Yourself (DIY) phishing kits used to compromise technology accounts, specifically targeting Microsoft 365 users. Microsoft obtained a court order and seized 240 associated websites, attempting to disrupt the operation's supply chain. This activity builds upon previous efforts, such as the "Caffeine" phishing service.
## Tactics, Techniques & Procedures
* **Adversary-in-the-Middle (AiTM) Phishing:** Used sophisticated phishing kits designed to implement AiTM attacks.
* **MFA Bypass:** The primary goal of the AiTM approach was to circumvent Multifactor Authentication (MFA) by stealing authentication session cookies/credentials in real time.
* **Phishing-as-a-Service (PhaaS):** Sold kits or services to other malicious actors.
## Targeting
* **Sectors:** Financial Services industry is noted as being **heavily targeted** due to the sensitivity of data and high potential for financial loss. All sectors using the targeted identity provider (Microsoft 365) are at risk.
* **Geography:** The criminal operator is based in **Egypt**. The geographic region targeted by the phishing campaigns is not specified, but the target platform is global (Microsoft 365/financial services).
* **Victims:** Organizations using platforms protected by MFA, particularly those in the financial sector.
## Tools & Infrastructure
* **Malware Families/Kits:** DIY Phishing Kits sold under the **ONNX** brand name. Previously used the "Caffeine" phishing-as-a-service infrastructure.
* **Infrastructure (C2, domains, IPs):** Microsoft seized **240 associated websites** linked to the operation. (Specific domains/IPs were not listed in the summary text).
## Implications
This actor represents a significant threat to the identity assurance ecosystem, demonstrating the growing sophistication of cybercrime-as-a-service offerings that directly target and neutralize perimeter defenses like MFA. Successful exploitation by these kits can lead to substantial financial losses, particularly for the heavily targeted financial sector.
## Mitigations
* **Adopt Advanced MFA:** Organizations should move beyond basic MFA methods susceptible to session cookie theft (AiTM).
* **Proactive Infrastructure Disruption:** Collaboration between private industry (Microsoft, Linux Foundation) and law enforcement to seize infrastructure disrupts the cybercrime supply chain, imposing time and monetary costs on the operators.
* **Monitoring and Vendor Collaboration:** Organizations should remain aware of new phishing service trends (like the shift from Caffeine to ONNX) targeting their identity providers.