ONNX MFA Bypass Targets Microsoft 365 Accounts

The service, likely a rebrand of a previous operation called Caffeine, mainly targets financial institutions in the Americas and EMEA and uses malicious QR codes and other advanced evasion tactics.

A highly organized
phishing-as-a-service operation (PhaaS)
is targeting Microsoft 365 accounts across financial firms with business email compromise (BEC) attacks that leverage a two-factor authentication (2FA) bypass, QR codes, and other advanced evasion tactics to maximize success, researchers have found.
Security analysts from EclecticIQ in February discovered a broad phishing campaign targeting financial institutions, in which threat actors used embedded QR codes in PDF attachments to redirect victims to phishing URLs, according to
a blog post
published June 18. Specific organizations targeted included banks, private funding firms, and credit union service providers across the Americas and Europe, Middle East and Africa (EMEA) regions.
EclecticIQ eventually tracked the origin of the campaign to a
PhaaS platform
called ONNX Store, which operates through a user-friendly interface accessible via Telegram bots, Eclectic IQ threat intelligence analyst Arda Büyükkaya wrote in the post.
A key part of the ONNX service is a
2FA bypass mechanism
that intercepts 2FA requests from victims using encrypted JavaScript code, to decrease the likelihood of detection and bolster the success rate of attacks, Büyükkaya noted. Moreover, the phishing pages delivered in the attacks use
typosquatting
to closely resemble Microsoft 365 login interfaces, making them more likely to trick targets into entering their authentication details.
A typical email used in the attack shows a threat actor purporting to send the employee a human resources-related PDF document, such as an employee handbook or a salary remittance slip. The document impersonates Adobe or Microsoft 365 to try to trick a recipient into opening the attachment via a QR code that, once scanned, directs victims to a phishing landing page.
The use of QR codes is an increasingly common tactic for evading endpoint detection, Büyükkaya noted: Since QR codes are typically scanned by mobile phones, many organizations lack detection or prevention capabilities on employees mobile devices, making it challenging to monitor these threats.
The attacker-controlled landing page is designed to steal login credentials and
2FA authentication
codes using the adversary-in-the-middle (AitM) method, analysts found.
When victims enter their credentials, the phishing server collects the stolen information via WebSockets protocol, which allows real-time, two-way communication between the users browser and the server, Büyükkaya wrote. In this way, attackers can quickly capture and transmit stolen data without the need for frequent HTTP requests, making the phishing operation more efficient and harder to detect, he noted.
Another PhaaS operator,
Tycoon,
also has used a similar AitM technique and a multifactor authentication (MFA) bypass involving a Cloudflare CAPTCHA, demonstrating how malicious actors are learning from each other and adapting strategies accordingly, Büyükkaya said.
ONNX also shares overlap in both Telegram infrastructure and advertising methods with a phishing kit called Caffeine (first discovered by researchers at Mandiant in 2022), the researchers found — so it could be a rebranding of that operation, according to ElecticIQ.
Another scenario is that the Arabic-speaking threat actor MRxC0DER, who is believed to have developed and maintained Caffeine, is providing client support to the ONNX Store, while the broader operation is likely managed independently by a new entity without central management, Büyükkaya wrote.
Another anti-detection measure in the ONNX
phishing
kit is the use of encrypted JavaScript code that decrypts itself during page load, and includes a basic anti-JavaScript debugging feature. This adds a layer of protection against anti-phishing scanners and complicates analysis, according to the analysis.
EclecticIQ researchers observed a functionality in the decrypted JavaScript code thats specifically designed to steal
2FA
tokens entered by the victims and relay them to the attacker, who then uses the stolen credentials and tokens in real time to log in to Microsoft 365.
This real-time relay of credentials allows the attacker to gain unauthorized access to the victims account before the 2FA token expires, circumventing multifactor authentication, Büyükkaya wrote.
ElecticIQ provided countermeasures for combatting specific tactics used by ONNX Store. To mitigate threats from embedded QR codes in PDF documents, organizations should block PDF or HTML attachments from unverified external sources in email server settings. They also can educate employees on the risks associated with scanning QR codes from unknown sources.
To combat the
typosquatted
domains used by the threat actor to impersonate Microsoft, organizations can implement
domain name system security extensions (DNSSEC)
, which protects domains from multiple cyber threats, including typosquatting.
There are also measures that defenders can take to combat the
theft of 2FA tokens
, such as implementing FIDO2 hardware security keys for 2FA; setting a short expiration time for login tokens that limits a cyberattackers window of opportunity to use them; and using security monitoring tools to detect and alert for any unusual behavior, such as multiple failed login attempts or logins from unusual locations.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
ONNX MFA Bypass Targets Microsoft 365 Accounts