Microsoft seizes 240 websites used by Egyptian phishing-as-a-service operation ‘ONNX’

Hundreds of websites used by an Egyptian cybercriminal to sell “do-it-yourself” phishing kits have been disrupted by Microsoft and LF Projects, the corporate entity behind the Linux Foundation. 

The two companies sued Abanoub Nady and four unidentified people for running ONNX — a key cybercrime operation that is part of the wider phishing-as-a-service industry.

Nady and his team are accused of running 240 fraudulent websites — now seized by the Microsoft’s Digital Crimes Unit — that offered kits to cybercriminals to run phishing campaigns that could bypass additional security measures and break into Microsoft customer accounts.

Steven Masada, assistant general counsel with the Digital Crimes Unit, said in a blog post that the financial services industry “has been heavily targeted given the sensitive data and transactions they handle.” 

“Much like how e-commerce businesses sell products, Abanoub Nady and his associates marketed and sold their illicit offerings through branded storefronts, including the fraudulent ‘ONNX Store,’” he said. 

“By targeting this prominent service, DCU is disrupting the illicit cybercriminal supply chain, thereby protecting customers from a variety of downstream threats, including financial fraud, data theft, and ransomware.”

Masada noted that an alert was recently sent out to U.S. broker-dealers warning that ONNX tools were being used to target Microsoft 365 users with a new attack known as quishing — where QR codes are embedded in PDF documents and redirect victims to phishing URLs.

Microsoft said it has seen a significant increase in phishing attempts involving QR codes.

LF Projects is the trademark owner of the name and logo for ONNX, which is a legitimate machine learning tool. 

A spokesperson for the company said it had collaborated with Microsoft “to defend millions of individuals and organizations from a global phishing-as-a-service criminal operation.” 

“We encourage organizations who find themselves in a position to fight one element of a cybercrime problem to identify ways to collaborate and build a stronger collective response,” they said. 

Earlier this year, researchers at the cyber intelligence firm Dark Atlas revealed that Nady was behind ONNX and its predecessors by tracing his identity back to a now-deleted Facebook profile that used the moniker “MRxC0DER.” The researchers even obtained his phone number and LinkedIn profile.

Masada said Microsoft has been tracking Nady since 2017, when he began selling his phishing kits under operations named “Caffeine” or “FUHRER.”

Other researchers were able to reproduce that investigation and confirm Nady was responsible for ONNX. Mandiant also did a deep dive into Caffeine in 2022, highlighting its use by government-backed hacking groups around the world. 

The operation became increasingly professionalized over time, offering cybercriminals different subscription tiers providing add-on features and more hands-on support for how to start phishing email campaigns. 

A screenshot of the scheme’s subscription tiers. Credit: Microsoft

Most of the operation is conducted through Telegram, and customers are offered how-to videos explaining how to operate the phishing kit. 

Through a court action, Microsoft was allowed to redirect the malicious technical infrastructure to its own servers, cutting off cybercriminals’ access to the platform. 

“Effectively combatting cybercrime requires persistence and ongoing vigilance to disrupt new malicious infrastructure,” Masada explained. 

“While today’s legal action will substantially hamper the fraudulent ONNX’s operations, other providers will fill the void, and we expect threat actors will adapt their techniques in response.”