A popular phishing-as-a-service (PaaS) platform has raised concerns in the security industry, targeting accounts protected by multi-factor authentication (MFA). Over 120,000 phishing emails have been sent during the past several months to steal Microsoft 365 accounts from 100+ organizations, predominantly impacting top executives. In recent campaigns, the PaaS mimicked well-known brands, leading victims to authentic-looking phishing pages.
Security researchers recently documented a phishing-as-a-service (PaaS) platform providing brand impersonation, bot detection evasion, and open redirections. The PaaS platform increasingly targets accounts protected by multi-factor authentication (MFA). In the past several months, around 120,000 phishing emails were sent, designed to steal Microsoft 365 accounts belonging to over 100 organizations.
This surge in successful cloud account takeover incidents has predominantly affected top-tier executives, signaling a substantial security challenge. Indeed, researchers noticed that attackers prioritized "VIP" targets and ignored lower-level accounts. Among the breached accounts, 39% were top-level executives, 9% were CEOs and VPs, 17% were chief financial officers, and the rest were employees with access to financial or sensitive information.
Compromising such accounts enables attackers to impersonate executives, exploit their seniority, perform malicious actions while avoiding detection, and spread malware across affected organizations. Since September 2022, the PaaS platform has been advertised on cybercriminal forums and is priced between $150 to $600, offering to target a range of account types, such as Apple, Google, Facebook, Microsoft, Twitter, GitHub, GoDaddy, and PyPI.
In March 2023, a new phishing campaign was observed involving the PaaS service, with deceptive emails posing as recognizable brands, such as Adobe, DocuSign and Concur. If the victim clicks on the link included in the phishing emails, they will be redirected through YouTube or SlickDeals, followed by multiple redirections meant to decrease the likelihood of detection and examination. Finally, victims land on one of the PaaS’ phishing pages, which mimics the Microsoft 365 login page, adopting the victim's organization theme to make it look authentic and decrease the victims’ suspicions.
With regard to the operators’ origin, the PaaS platform routes user traffic originating from Turkish IP addresses to the genuine webpage, outside of the attacker's control. If this is deliberate, the campaign's operators may be intentionally avoiding Turkish targets, potentially revealing the attackers' Turkish origin. On the other hand, several VPNs in other non-Turkish locations are also blocked from accessing the malicious phishing pages.
After successfully compromising a Microsoft 365 account, attackers eventually implement their own multi-factor authentication technique using the Authenticator App with notification and code to gain persistence.
As mentioned in the previous section, the PaaS tool has been heavily advertised on underground forums recently. Indeed, Cybersixgill collected the following post on the leading English-language cybercrime forum advertising the PaaS platform, claiming its phishing pages are identical to legitimate webpages. The ad also touted the tool’s ability to harvest victim accounts’ logins, passwords and cookies.
The post also listed dozens of legitimate services that the tool exploits for account compromise, including Microsoft, Google, iCloud, Dropbox, GitHub, LinkedIn and more. For most of these services, the PaaS operators listed prices ranging from $150 to $400, with Google accounts costing $600. The PaaS operators also listed additional features that the tool possesses in order to attract interested buyers.
Ironically, the threat actors added a disclaimer at the end of the post, saying that this software is intended to be used in legitimate penetration tests or research only, and that the operator “will accept no liability and are not responsible for any misuse or damage caused by software or for any actions taken by users.” The operators also claimed that the tool is designed for “security awareness purposes” to improve resilience against phishing attacks. Threat actors frequently include such disclaimers to feign legitimacy or obfuscate their true intentions. Despite such disclaimers, the operators' decision to promote the PaaS tool on a significant cybercrime forum reflects their attempt to market the product to threat actors.
Figure 1: The PaaS platform advertised on a cybercrime forum
Cybersixgill also collected the post below shared by a threat actor with a low reputation score on a Russian-language cybercrime forum. The poster sought assistance setting up and configuring the PaaS to ensure the longevity of domains used in their campaigns. According to the threat actor, their domains were marked as malicious ("turning red") almost immediately after they started a campaign, indicating that their current setup is not effective in avoiding detection, potentially raising questions about the tool's defense evasion techniques.
The forum member directed threat actors to send their prices privately on the forum and required escrow service (an intermediary overseeing transactions), specifying that payments will only be released if domains remain active for at least a day with traffic. While no public replies were observed on this post, threat actors might have contacted the poster privately.
Figure 2: A threat actor seeks assistance on a Russian cybercrime forum to configure the PaaS tool
Reverse proxy phishing kits such as the PaaS tool discussed in this report represent an increasing menace that execute sophisticated phishing attacks on a large scale, evading security measures and account safeguards. The consequences of such attacks can be far-reaching and include possible financial losses, data breaches and reputational damage, among other outcomes.
To defend against such threats, organizations must enforce email filtering rules, and instruct employees not to click on links or attachments in suspicious emails. Specifically, users should double-check email senders’ identities before opening attachments or clicking links. They should also remain vigilant with regard to misspelled URLs to avoid entering credentials into fraudulent websites. Finally, organizations should instruct personnel to exercise additional caution when using MFA codes for corporate services.
 Phishing-as-a-service (PaaS) operations provide ready-to-go phishing tools in exchange for a fee.
 This phishing-as-a-service platform utilizes reverse proxies to forward authentication requests and user credentials between the target user and the authentic service website. This technique allows attackers to intercept user credentials, valid session cookies and effectively sit in the middle of the MFA process.
 PyPI is the Python Package Index, a repository for Python software packages. It hosts libraries, frameworks, and tools that Python developers can use to create various applications.
 Adobe is an American software company known for its multimedia and creativity software products.
 DocuSign is a company that provides electronic signature technology and digital transaction management services.
 Concur is a travel and expense management software solution developed by SAP. It helps businesses and organizations manage travel expenses, invoices, and employee expenses more efficiently.
 Slickdeals is a community-driven online platform where users share deals, discounts, and offers on a wide range of products and services.
 To keep the user's email address safe from automated scanning, the attackers used a unique encoding method. They also utilized compromised legitimate websites to upload PHP code for decoding the email of a specific user. Once decoded, the user was directed to the customized phishing page designed specifically for their organization.
 The Authenticator App is a mobile tool that adds an extra layer of security by generating time-based passwords or sending push notifications for multi-factor authentication during login.