A new phishing-as-a-service (PhaaS) platform named Rockstar 2FA has emerged, enabling adversary-in-the-middle (AiTM) attacks to bypass multifactor authentication (MFA) and steal Microsoft 365 credentials.
Attack Methodology
Like other AiTM platforms, Rockstar 2FA intercepts session cookies to bypass MFA protections. The attack involves:
- Directing victims to a fake Microsoft 365 login page.
- Tricking victims into entering their credentials.
- Acting as a proxy to forward credentials to Microsoft’s legitimate service, completing authentication.
- Capturing the session cookie returned to the victim’s browser, which attackers can use to access the account without needing the credentials.
Rockstar 2FA’s attack flow
Source: Trustwave
The Rise of Rockstar 2FA
Trustwave reports that Rockstar 2FA evolved from earlier phishing kits like DadSec and Phoenix, gaining popularity in the cybercrime community since August 2024.
The service is marketed on platforms like Telegram, priced at $200 for two weeks or $180 for API access renewal.
The Rockstar 2FA admin panel
Source: Trustwave