Microsoft has seized 240 fraudulent websites associated with “do-it-yourself” phishing kits used by cybercriminals globally to break into customer accounts.
The action was enabled by a civil court order in the Eastern District of Virginia which allowed the malicious technical infrastructure to be directed to Microsoft. This permanently stops the use of these domains in phishing attacks in the future.
The websites are associated with Abanoub Nady, an Egypt-based individual known online as “MRxC0DER,” who developed and sold the phish kits to threat actors globally, fraudulently using the Open Neural Network Exchange (ONNX) brand name to sell these services.
ONNX is a legitimate open standard format and open source runtime for representing machine learning models, enabling interoperability between different hardware, frameworks, and tools for easier deployment and scalability.
Nady and his associates marketed and sold their illicit offerings through branded storefronts, including the fraudulent ONNX Store.
In addition to the domain seizures, the Linux Foundation, the trademark owner of the actual registered “ONNX” name and logo, and Microsoft have sued Nady and four unidentified people for running ONNX. The defendants have been informed by the court that they must “appear” in this case or Microsoft and Linux will win automatically.
Microsoft said the action will substantially hamper the fraudulent operations of MRxC0DER.
“Taking action sends a strong message to those who choose to replicate our services to harm users online: we will proactively pursue remedies to protect our services and our customers and are continuously improving our technical and legal strategies to have greater impact,” the tech giant stated.
However, the firm acknowledged that other providers will fill the void and it expects threat actors to adapt their techniques in response.
Read now: Microsoft and US Government Disrupt Russian Star Blizzard Operations
ONNX Enabling Phishing Operations to Grow and Scale
Microsoft said the phishing-as-a-service (PhaaS) operation run by Nady makes up a significant portion of the tens to hundreds of millions of phishing messages it sees every month.
The ONXX operations was among the top five phish kit providers by email volume in the first half of 2024.
The financial services industry has been particularly heavily targeted by phish kits sold on ONXX due to the sensitive data and transactions they handle, the firm noted.
The phish kits are designed to send emails at scale, specifically for coordinated phishing campaigns. They enable cybercriminal customers to conduct their own phishing attacks using the templates provided and the fraudulent ONNX technical infrastructure, including the website domains.
Cybercriminals can also use domains they purchase elsewhere and connect to the fraudulent ONNX technical infrastructure, enabling their phishing operations to grow and scale.
The kits also facilitate adversary-in-the-middle (AiTM) phishing techniques, whereby attackers secretly inject themselves in network communications to steal credentials and cookies in order to bypass multi-factor authentication (MFA) defenses.
The fraudulent ONXX operation offers customers a subscription model, with Basic, Professional and Enterprise options, each for different tiers of access and support.
Enterprise users can also purchase the add-on feature of “Unlimited VIP Support,” which provides step-by-step instructions on how to successfully use the phishing kits to commit cybercrime.
The phish kits are promoted, sold and configured almost exclusively through Telegram.
Microsoft said it has tracked activity tied to Nady’s operation as far back as 2017. Other branded storefronts used alongside ONXX to sell the phish kits included “Caffeine” and “FUHRER.”