By monitoring the rise of phishing-as-a-service platforms, Trustwave SpiderLabs discovered the emergence of Rockstar 2FA, which steals Microsoft 365 credentials via large-scale adversary-in-the-middle (AiTM) attacks. Targets of these attacks are directed to a fraudulent login page mimicking Microsoft 365 and prompting users to enter their credentials. 

Rockstar 2FA features include:

  • Bypass for two-factor authentication (2FA)
  • 2FA cookie harvesting
  • Fully undetectable (FUD) links 
  • Antibot protection
  • Telegram bot integration 
  • Themes mimicking popular service login pages

Security leaders weigh in 

Patrick Tiquet, Vice President, Security & Architecture at Keeper Security:

AiTM attacks, as seen with platforms like Rockstar 2FA, are becoming more common in phishing-as-a-service campaigns. While not all phishing-as-a-service offerings focus on AiTM techniques, the inclusion of features like session cookie harvesting and MFA bypass in this platform highlights how phishing methods continue to become more sophisticated. Security teams should take note, as these attacks demonstrate how protections like MFA can be circumvented if not part of a layered defense.

Tools that help enforce strong password policies, provide secure management of credentials and offer visibility into login activity are critical in addressing these threats. By integrating MFA with proactive measures such as session monitoring and conditional access policies, organizations can strengthen their defenses against AiTM tactics. The emergence of platforms like Rockstar 2FA should push security teams to reevaluate their strategies to ensure they are prepared for increasingly advanced phishing campaigns.

Stephen Kowski, Field CTO at SlashNext Email Security+:

Phishing has evolved beyond traditional email boundaries, with attackers now employing sophisticated techniques like Rockstar 2FA’s AiTM approach to bypass security measures by moving the phishing campaign beyond email. This trend underscores a shift towards multichannel phishing, where phishing campaigns don’t end with an email but continue through various communication channels like web browsers, messaging apps, and even social media. This multi-step process takes advantage of the perceived legitimacy of these platforms, making users more susceptible to attacks as they move from email to other channels. While AiTM attacks are part of this landscape, the key trend is the utilization of multiple channels to keep the phishing attack alive, often leveraging the trust users have in these platforms to bypass security. 

Krishna Vishnubhotla, Vice President of Product Strategy at Zimperium:

Phishing-as-a-service platforms are significantly lowering the cost of entry for new attackers, mainly through mobile devices. By providing ready-made phishing kits, these platforms eliminate the need for extensive technical skills or resources usually required for phishing attacks. Attackers can launch sophisticated campaigns against organizations with minimal investment and effort, leveraging mobile devices’ ubiquity and continual connectivity. This ease of access to advanced phishing tools, and the ability to target users on mobile devices, where security may be more lax, make it increasingly convenient and cost-effective for nefarious actors to execute efficacious cybercrimes.