New PhaaS ‘Rockstar 2FA’ Bypasses MFA to Hijack Microsoft 365 Accounts

Reading Time: 3 Minutes

A new phishing-as-a-service (PhaaS) platform named Rockstar 2FA has emerged, enabling adversary-in-the-middle (AiTM) attacks to bypass multifactor authentication (MFA) and steal Microsoft 365 credentials.

Attack Methodology

Like other AiTM platforms, Rockstar 2FA intercepts session cookies to bypass MFA protections. The attack involves:

  1. Directing victims to a fake Microsoft 365 login page.
  2. Tricking victims into entering their credentials.
  3. Acting as a proxy to forward credentials to Microsoft’s legitimate service, completing authentication.
  4. Capturing the session cookie returned to the victim’s browser, which attackers can use to access the account without needing the credentials.

 

Attack flowRockstar 2FA’s attack flow
Source: Trustwave

The Rise of Rockstar 2FA

Trustwave reports that Rockstar 2FA evolved from earlier phishing kits like DadSec and Phoenix, gaining popularity in the cybercrime community since August 2024.

The service is marketed on platforms like Telegram, priced at $200 for two weeks or $180 for API access renewal.

The Rockstar 2FA admin panelThe Rockstar 2FA admin panel
Source: Trustwave

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Features and Capabilities

Rockstar 2FA boasts an extensive feature set:

  • Support for Microsoft 365, Hotmail, GoDaddy, and SSO services.
  • Randomized source code and links to evade detection.
  • Cloudflare Turnstile Captcha to filter bots and screen victims.
  • Automated FUD (Fully Undetectable) attachments and links.
  • A user-friendly admin panel with real-time logs and backup options.
  • Multiple login page themes with automatic organization branding (logo, background).

Since May 2024, the platform has established over 5,000 phishing domains, facilitating widespread phishing campaigns.

Phishing emails sent from Rockstar 2FAPhishing emails sent from Rockstar 2FA
Source: Trustwave

Phishing Campaigns

Rockstar 2FA’s phishing campaigns leverage compromised accounts and legitimate email marketing platforms to distribute malicious emails. These emails often feature lures such as:

  • Document-sharing notifications.
  • IT department alerts.
  • Password reset prompts.
  • Payroll-related messages.

Evasion Tactics:

  • QR codes and shortened URLs.
  • PDF attachments embedding phishing links.
  • Cloudflare Turnstile Captcha challenges to filter bots and security researchers.

Volume of Cloudflare Turnstile challenge requests linked to Rockstar 2FAVolume of Cloudflare Turnstile challenge requests linked to Rockstar 2FA
Source: Turstwave

When targets visit the phishing page, JavaScript evaluates their profile:

  • Valid targets are directed to the phishing site.
  • Non-targets, bots, or security researchers are redirected to a harmless, car-themed decoy page.

Redirecting to a phishing or a decoy pageRedirecting to a phishing or a decoy page
Source: Trustwave

Trending: Top 10 Things to Do After Installing Kali Linux

Trending: Blue Team Tool: Ghostport

Implications and Persistence

The emergence of Rockstar 2FA highlights the ongoing evolution of phishing techniques despite law enforcement crackdowns on major PhaaS operators.

As Trustwave notes, the accessibility and low cost of tools like Rockstar 2FA significantly raise the risk of large-scale phishing operations. Businesses and individuals are urged to remain vigilant and deploy robust anti-phishing and authentication measures to mitigate these threats.

Trending: New Ghost Tap Attack: The Next-Level Credit Card Scam Exploiting Apple Pay and Google Pay

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: info@blackhatethicalhacking.com