Phishing as a Service (PhaaS) kits used to target Microsoft 365 credentials
PhishFort recently identified a marked resurgence in Microsoft 365 credential-harvesting attempts, echoing tactics once prevalent in the now-defunct Phishing as a Service (PhaaS) operation known as Caffeine Store. While Microsoft 365 is a common target for credential-harvesting attacks, the recent spike is notable for its sheer volume and distinct characteristics.
The Unique Traits of the Recent Attacks
These attacks are not random; they are considered to be highly targeted and sophisticated due to the following key features we observed:
Surplus Backup Domains: Employing the R01-RU registrar and a Domain Generating Algorithm, the attackers dynamically generated hundreds of domains. This strategy significantly boosts the campaign's resilience against domain takedowns.
Automated Detection Prevention: To restrict access to their phishing sites, the attackers cleverly used Cloudflare Captcha, User Agent and IP filtering.
User Targeting: Specific individuals part of certain teams within the affected organisations were targeted, indicating a wider purpose behind the campaigns.
Understanding Phishing as a Service (PhaaS)
Given the widespread prevalence of phishing attempts, it can appear deceptively simple to create a phishing campaign. However, successful phishing attacks typically require a blend of numerous specialised skills, tactics and infrastructure: First, there's social engineering, which involves crafting believable messages that mimic legitimate communications to trick recipients into some type of action, often to click on a link. As most of you would know, these messages typically attempt to exploit human nature, by creating a sense of urgency or abusing a trusted relationship.
The majority of attacks require a fake website that closely resembles a legitimate site. This site is typically used to capture the victim's personal information, login credentials, or financial details, depending on the objective. Traditionally, technical expertise was required for setting up and managing these fake websites, often along with registering legitimate-looking domain names and valid certificates.
Phishing as a Service (PhaaS) platforms cater to all of these requirements by offering a suite of features that streamline this entire process. These services provide user-friendly templates for emails and web pages that mimic reputable sources, making it easier to create believable lures. They often include hosting services for these fake sites, along with tools to manage and distribute phishing emails. Advanced PhaaS offerings may also provide analytics to track the success rate of campaigns. By offering these comprehensive tools in a single package, PhaaS platforms enable individuals with varying levels of technical expertise to conduct sophisticated phishing operations with ease.
In essence, these platforms democratize cybercrime by providing ready-to-use kits, simplifying attacks for individuals with minimal skills. This evolution diversifies threat actors, increases attack frequency and sophistication, resulting in more refined attacks against a broader range of targets.
The Caffeine PhaaS: A Case Study
In September 2021, the Caffeine Store Telegram Channel was launched, marked by an initial post from MRxC0DER introducing a new Microsoft Office 365 (Version 8) phishing kit with innovative features:
This release triggered a global surge in Microsoft 365 phishing attacks. What set Caffeine Store apart was its unusually transparent operation – instead of the typical private forums, exclusive Telegram channels, or darkweb sites, they simply used a regular website with a standard login/signup page.
This effectively meant anyone could sign up and create a robust phishing campaign in minutes.
After signing up, new users are directed to Caffeine's main dashboard where they can buy, configure and launch their attack.
Caffeine's main dashboard (Mandiant)
At this stage, users are presented with numerous choices, allowing them to tailor dynamic URL patterns for generating pages dynamically, pre-filling them with potential victim data for enhanced campaign deception. The platform also offers options for crafting initial campaign redirect pages and compelling final lure pages. Furthermore, users can blacklist specific IP addresses and restrict connections based on their geographic origins.
Caffeine scam settings (Mandiant)
Upon completing the configuration, customers can pick their preferred template and activate the phishing campaign. They have the option to employ Caffeine's integrated Python/PHP email management tool to dispatch phishing emails to their targets, eliminating the necessity for external utilities.
PhishFort's Experience with Caffeine's Campaign
Phishfort had its first encounter with a Caffeine Store generated campaign in December 2021. An affiliate group had launched a targeted campaign against one of our client's DevOps team in an attempt to steal their Microsoft 365 credentials. A successful attack of this kind could be particularly severe. DevOps teams often have extensive access to a company's software development and operational infrastructure. If their Microsoft 365 credentials were compromised, it could lead to unauthorised access to sensitive company data, internal communications, codebases, and potentially the company's entire cloud infrastructure.
Investigating the recent spike in Office 365 Phishing Campaigns
The first wave of attacks was launched around mid-year 2022. These attacks continued sporadically throughout 2023, with one or two incidents appearing every couple of months. However, in October, PhishFort experienced a significant surge in Microsoft 365 attacks. Investigating one of these, showed a well-crafted campaign.
For instance, a phishing site resembling the incident we encountered in December 2021 was discovered. This deceptive site precisely mirrored the authentic customized Microsoft login page used by our client and was specifically aimed at the head of the DevOps team. What set this campaign apart was its cunning nature—the inclusion of the target user's email (in this case, the head of DevOps) in the login flow. This tactic simulated Microsoft's standard procedure of displaying saved emails for user convenience, making the attack particularly deceptive.
What was even more concerning was the revelation that the phishing kits also contained extended logic enabling the attackers to verify whether the email address entering credentials fell within their pre-defined “scope”:
When we tried any other email address, even ones on the same domains, the check failed with the following error:
"message": "We couldn't find an account with that username. Try another account."
However, entering the target’s email gives a “successful check” response and the logic moves to the login page so that the targeted user’s credentials can be harvested.
In summary, the attackers' decision to restrict payload access to a specific group of targets in this phishing campaign is a calculated move to increase its effectiveness, reduce risk of detection, optimize resources, and ensure a higher success rate with valuable targets.
This level of detail indicates a high degree of planning and customisation, aimed at increasing the likelihood of the targeted individual entering their credentials, believing they are accessing a genuine company resource.
Upon receiving notification of this attack, Phishfort promptly initiated an investigation into what proved to be a particularly intriguing assault. The attacks were scattered throughout the year (2023) until a massive campaign was launched between the third and last quarter of the year.
The attacks were targeting mostly cash-heavy industries as shown below:
Over 77% of the attacks targeted blockchain software companies (crypto wallets and exchanges). More than 5% were aimed at banks and credit bureaus. Consequently, the finance sector, encompassing blockchain companies, banks, and credit bureaus, accounted for a combined 83% of all attacks.
Another significant focus of attacks was the Chemical Industry. More than 16% of the attacks aimed to compromise U.S. speciality chemical manufacturing companies, particularly those specializing in products used in electric vehicle batteries, flame retardants, petroleum refining, and pharmaceutical applications.
Targeted attacks increase the likelihood of success because they are tailored using knowledge about the victim. In essence, due to its targeted nature and other attributes, this campaign demonstrated a high level of sophistication and effort to maximise its success rate while minimising the chances of detection and disruption. All the observed phishing campaigns resembling kits sold by Caffeine Store share the same features and general MO.
There’s what seems to be an AI-generated phishing email sent to the target from clearly fake email addresses.
When the target clicks the link they are taken through Cloudflare captcha that also validates their IP address and browser,
When they pass these checks they are taken to a DGA domain phishing page with a convincing-looking Microsoft 365 login with their email address already prefilled.
After their email is validated they are taken to the exfil form.
The attack could not be rendered on automated scanning tools.
It remains uncertain whether these attacks originate from previous customers of The Caffeine PhaaS, possibly employing the strategies provided with their kit purchases, or if they are being directly orchestrated by the author, MRxC0DER using their own kits. The reasons for this widespread resurgence are currently unclear. However, there is a possibility that it could be connected to or influenced by the recent Storm-0558 attacks.