Security researchers have discovered a sophisticated phishing-as-a-service (PhaaS) toolkit named Rockstar 2FA which poses a significant threat to Microsoft 365 users worldwide. The toolkit represents a dangerous evolution in cybercrime, enabling even technically inexperienced criminals to launch sophisticated credential theft campaigns.
How Rockstar 2FA Circumvents Security Measures
Researchers from Trustwave have uncovered a critical vulnerability in the Rockstar 2FA toolkit that allows attackers to bypass traditional security protections. The most alarming feature is its ability to execute adversary-in-the-middle (AitM) attacks, which can intercept user credentials and session cookies—rendering multi-factor authentication (MFA) ineffective.
Key Features of the Phishing Platform
The Rockstar 2FA toolkit, an upgraded version of the DadSec (Phoenix) phishing kit, offers cybercriminals a comprehensive suite of malicious capabilities:
- Two-factor authentication (2FA) bypass mechanisms
- 2FA cookie harvesting techniques
- Advanced antibot protection
- Customizable login page themes mimicking popular services
- Fully undetectable (FUD) links
- Telegram bot integration for campaign management
Pricing and Accessibility
The toolkit is marketed through various communication platforms, including ICQ, Telegram, and Mail.ru, and it has a disturbingly accessible subscription model. Cybercriminals can purchase access for as low as $200 for two weeks or $350 for a full month, democratizing sophisticated phishing attacks for even novice threat actors.
Trustwave researchers observed that these email campaigns employ diverse initial access strategies, including:
- Malicious URLs
- Deceptive QR codes
- Fraudulent document attachments
The attackers leverage legitimate link redirectors and services like Cloudflare Turnstile to evade detection and strategically use platforms such as Atlassian Confluence, Google Docs Viewer, and Microsoft services to host phishing links.
This threat is part of a larger trend of increasingly sophisticated social engineering attacks. Similar campaigns, like the Beluga phishing operation, have been observed using .HTM attachments to trick users into revealing Microsoft OneDrive credentials.
