This worrying new phishing attack is going after Microsoft 365 accounts

News
By
published

Rockstar 2FA is a new phishing kit that allows crooks to bypass MFA

Cartoon Phishing
(Image credit: Shutterstock / DRogatnev)
  • Security researchers from Trustwave discover new phishing kit capable of stealing Microsoft 365 accounts
  • Rockstar 2FA can relay MFA codes and obtain session cookies
  • The service is being offered on the dark web for just $200

There is a worrying new phishing kit that enables cybercriminals to go after people’s Microsoft 365 accounts, even those protected by multi-factor authentication (MFA). It is called “Rockstar 2FA”, and it goes for $200 on the dark web.

Cybersecurity researchers from Trustwave recently discovered, and analyzed the new kit, noting how since August 2024, it has been aggressively promoted on Telegram and among other cybercriminal communities.

The kit’s developers claim it supports Microsoft 365, Hotmail, GoDaddy, SSO, and offers randomized source code and links to evade detection. Furthermore, it uses Cloudflare Turnstile Captcha to screen the victims and make sure it’s not sandboxed or analyzed by bots.

Bypassing MFA and stealing cookies

Phishing, as a method of attack, hasn’t changed much over the years. Crooks send out emails with fake documents, or fabricate urgent warnings the users need to address immediately, or face the consequences. As a result of hasty actions, the victims end up infecting their devices with malware, losing sensitive data, granting valuable access to cybercriminals, and more.

To counter this method, most businesses these days deploy multi-factor authentication , a second layer of authentication that prevents unauthorized access, even when the crooks steal the login credentials. Criminals, on the other hand, responded by creating adversary-in-the-middle (AiTM) methodology, something Rockstar 2FA integrated, as well.

By using the phishing kit, the attackers can create fake Microsoft 365 login pages. When the victim enters their credentials there, they are automatically relayed to the legitimate login page, which then returns the request for MFA. The phishing page returns that request back to the victim, ultimately leading to the account being compromised.

Finally, Rockstar 2FA will grab the authentication cookie being sent from the service to the user, allowing the attackers to remain logged in.

Since May 2024, which seems to be the kit’s date of origin, it set up more than 5,000 phishing domains, the researchers concluded.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
A new Microsoft 365 phishing service has emerged, so be on your guard
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft authentication system spoofed via phishing attack
Phishing
Russian cyberattackers spotted hitting Microsoft Teams with new phishing campaign
Security padlock in circuit board, digital encryption concept
MFA alone won’t protect you in 2025: the new cybersecurity imperative
Hacker Typing
This devious two-step phishing campaign uses Microsoft tools to bypass email security
A padlock resting on a keyboard.
Massive botnet is targeting Microsoft 365 accounts across the world
Latest in Security
Woman shocked by online scam, holding her credit card outside
Cybercriminals used vendor backdoor to steal almost $600,000 of Taylor Swift tickets
Woman using iMessage on iPhone
UK government guidelines remove encryption advice following Apple backdoor spat
Cryptocurrencies
Ransomware’s favorite Russian crypto exchange seized by law enforcement
Wordpress brand logo on computer screen. Man typing on the keyboard.
Thousands of WordPress sites targeted with malicious plugin backdoor attacks
HTTPS in a browser address bar
Malicious "polymorphic" Chrome extensions can mimic other tools to trick victims
ransomware avast
Hackers spotted using unsecured webcam to launch cyberattack
Latest in News
A collage of Ellie and Joel in The Last of Us season 2
The Last of Us season 2's new trailer teases a huge showdown between Bella Ramsey's Ellie and Pedro Pascal's Joel, but the big moment I'm waiting for is still being held back
Apple iPhone 16 Pro Max REVIEW
New iPhone 17 Air leak may have revealed some key specs – and how it compares to the iPhone 17 Pro Max
Gaming with AI
I asked Gemini to play a text-based adventure game with me and the AI whisked me away to a word-based fantasy
Apple iPhone 16 Review
Three iPhone 17 model dummy units appear in a hands-on video leak
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
New Samsung Galaxy S25 Edge may have revealed some key details – including its price
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 10 (game #1141)
More about security
Woman shocked by online scam, holding her credit card outside

Cybercriminals used vendor backdoor to steal almost $600,000 of Taylor Swift tickets
Cryptocurrencies

Ransomware’s favorite Russian crypto exchange seized by law enforcement
Gaming with AI

I asked Gemini to play a text-based adventure game with me and the AI whisked me away to a word-based fantasy
See more latest
Most Popular
Gaming with AI
I asked Gemini to play a text-based adventure game with me and the AI whisked me away to a word-based fantasy
A collage of Ellie and Joel in The Last of Us season 2
The Last of Us season 2's new trailer teases a huge showdown between Bella Ramsey's Ellie and Pedro Pascal's Joel, but the big moment I'm waiting for is still being held back
Molecular hard drive
Chinese researchers are looking to create a revolutionary type of hard drive based on organic materials but huge unknowns remain
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 10 (game #1141)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 10 (game #372)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 10 (game #638)
Apple iPhone 16 Pro Max REVIEW
New iPhone 17 Air leak may have revealed some key specs – and how it compares to the iPhone 17 Pro Max
Dynabook Portégé Z40L-N
Dynabook's newest laptop has a 4-year warranty, a swappable battery, a weight of under 1 kg, and even a LAN port
Cortical Labs CL1
A breakthrough in computing: Cortical Labs' CL1 is the first living biocomputer and costs almost the same as 'Apple's best failure'
Workplace AI Adoption
ChatGPT remains the most popular AI tool in offices worldwide, survey finds, with India leading the way