A sophisticated phishing-as-a-service toolkit, Rockstar 2FA, has emerged as a significant security threat targeting Microsoft 365 users. This advanced toolkit, an evolution of the DadSec (Phoenix) phishing kit, is being tracked by Microsoft under the designation Storm-1575.
The toolkit, priced between $200-350 on underground markets, employs cutting-edge features to bypass security measures, including two-factor authentication (2FA). Its primary capabilities include credential theft, session cookie extraction, and successful penetration of MFA-enabled accounts through adversary-in-the-middle attacks.
Technical Infrastructure:
– Advanced antibot protection systems
– Authentic-looking login page templates
– Sophisticated phishing link concealment
– Integrated Telegram bot functionality
– Comprehensive campaign management interface
The attack methodology leverages multiple vectors, including:
– Diverse delivery methods (URLs, QR codes, attachments)
– Trusted platform exploitation (Microsoft OneDrive, Google Docs, Atlassian)
– Legitimate link redirectors
– Cloudflare Turnstile implementation for bot prevention
This campaign particularly threatens corporate environments by circumventing standard security protocols, compromising legitimate accounts, and deploying advanced social engineering techniques. Security professionals emphasize the need for increased vigilance and strengthened authentication measures to counter this evolving threat.