Microsoft alleges that an Egyptian hacker has been selling phishing kits to cybercriminals.
Microsoft has disrupted a major provider of phishing services called ONNX by using a court order to seize 240 domains that powered the hacking activities.
According to Microsoft, ONNX was one of the top five phishing kit providers by volume for the first half of 2024. ONNX, previously known as Caffeine, lets cybercriminals automatically create and send phishing emails to targets in return for monthly fees that start at $150.
"Numerous cybercriminal and online threat actors purchased these kits and used them in widespread phishing campaigns to bypass additional security measures and break into Microsoft customer accounts," the company said in Thursday's announcement. This includes stealing two-factor authentication codes from victims.
To hit back, Redmond secured a court order in the Eastern District of Virginia to redirect ONNX's technical infrastructure to Microsoft. The company filed a civil court order that was unsealed on Thursday and gave Microsoft control over domains that hosted the phishing attacks.
Microsoft said it's been tracking ONNX-related phishing activity since 2017. This led the company to uncover evidence that a hacker in Egypt named Abanoub Nady has been running the service -- a finding that aligns with other cybersecurity research from Dark Atlas.
In the lawsuit, Microsoft noted that the phishing emails from ONNX were often designed to steal login information from targets and perpetrate other crimes, such as spreading ransomware. Earlier this year, security researchers also spotted ONNX sending phishing emails that contained QR codes to redirect users to malicious web pages, which could be dressed up as fake Microsoft 365 login sites.
Microsoft adds that ONNX often targeted users in the financial services industry. However, the phishing service went quiet in June after security researchers outed Nady's ties to ONNX. Prior to that, Nady allegedly marketed the phishing service on the Telegram messaging app while also posting videos on social media, showing how customers could use his phishing kit to hack prospective targets.