Microsoft has announced a significant victory in the fight against cybercrime with the successful takedown of ONNX, one of the largest Phishing-as-a-Service (PhaaS) operations. The operation resulted in the seizure of 240 malicious domains and the identification of the platform’s alleged operator, marking a crucial milestone in combating sophisticated phishing threats.
ONNX: A Sophisticated Phishing Infrastructure
Operating since 2017 under aliases including Caffeine and FUHRER, ONNX evolved into a dominant force in the phishing landscape by early 2024. The platform was responsible for distributing hundreds of millions of phishing emails monthly, primarily targeting Microsoft 365 users and customers of other major technology companies.
Advanced Evasion Techniques and Technical Infrastructure
The operation employed sophisticated technical measures to circumvent security systems, including an innovative approach using QR codes embedded within PDF documents. These codes redirected victims to fraudulent Microsoft 365 login pages, effectively bypassing traditional security measures since users typically scanned these codes using personal mobile devices.
Multi-Factor Authentication Bypass Methods
ONNX utilized high-availability hosting infrastructure and encrypted JavaScript code to defeat multi-factor authentication (2FA) systems. The platform implemented real-time code decryption mechanisms that activated during page loads, successfully evading detection by anti-phishing systems while harvesting user credentials.
Commercial Structure and Service Offerings
The service operated through Telegram, offering tiered subscription plans ranging from $150 to $550 monthly. These packages included Basic, Professional, and Enterprise levels, providing customized phishing kits designed to target various technology platforms, including Google, DropBox, Rackspace, and Microsoft.
The operation concluded in June 2024 following an investigation by Dark Atlas researchers who identified Egyptian national Abanoub Nady (known online as MRxC0DER) as the alleged operator. Through legal proceedings, Microsoft gained control of the malicious infrastructure, with support from the Linux Foundation, which owns the ONNX trademark. This coordinated action ensures the compromised domains can no longer be used for phishing campaigns, representing a significant victory in the ongoing battle against cybercrime and demonstrating the effectiveness of public-private partnerships in cybersecurity enforcement.
