A new phishing-as-a-service platform, Rockstar 2FA, has emerged as a major security concern for Microsoft 365 users. This advanced platform, evolved from DadSec and Phoenix phishing kits, specializes in bypassing multi-factor authentication through adversary-in-the-middle attacks.
The platform offers comprehensive features for $200 per two-week access, including support for multiple services like Microsoft 365, Hotmail, GoDaddy, and SSO. It employs sophisticated evasion techniques, automated tools, and Cloudflare Turnstile Captcha for target screening, while allowing customization of phishing pages with organizational branding.
The attack process involves directing victims to convincing fake login pages, where an AiTM server acts as a proxy between the user and legitimate service. This enables the interception of valid session cookies, granting account access without requiring credentials. Non-targeted users are automatically redirected to harmless decoy pages.
Since May 2024, the platform has generated over 5,000 phishing domains, utilizing various lures such as document sharing and IT notices. The service leverages legitimate email marketing platforms for distribution and implements advanced bot detection mechanisms.
Despite recent law enforcement efforts to combat similar services, Rockstar 2FA’s emergence underscores the ongoing threat of accessible, affordable phishing tools to organizational cybersecurity.