The new phishing-as-a-service (PhaaS) platform, ONNX Store, has been targeting Microsoft 365 accounts at financial firms using QR codes in PDF attachments. This sophisticated platform, which leverages Telegram bots and bypasses two-factor authentication (2FA), is believed to be a rebranded version of the Caffeine phishing kit.
Discovered by EclecticIQ, ONNX attacks were first observed in February 2024, using emails that impersonate HR departments with lures like salary updates to deceive recipients. Scanning the QR codes leads victims to phishing pages mimicking Microsoft 365 login interfaces, capturing login credentials and 2FA tokens in real time. ONNX’s robust features include customizable phishing templates, encrypted JavaScript for obfuscation, Cloudflare services for domain protection, and bulletproof hosting. Financial firms must enhance email security protocols and educate employees on recognizing phishing attempts.