ONNX marketed its phishing kits on Telegram, offering subscription models priced between $150 and $550 per month, enabling users to launch large-scale phishing campaigns.

On November 21, 2024, Microsoft announced the disruption of the ONNX phishing service, identifying Abanoub Nady, also known as MRxC0DER, as the alleged operator.

The ONNX platform employed Telegram bots for controlling attacks and included mechanisms for bypassing two-factor authentication (2FA).

The phishing operations primarily targeted employees in financial firms using QR code phishing tactics, also known as 'quishing'.

This action aligns with Microsoft's goal to protect customers by dismantling malicious infrastructure and discouraging future cybercriminal activities.

Microsoft seized 240 domains associated with ONNX, a phishing-as-a-service platform operational since 2017, significantly impacting Nady's operations.

The platform utilized bulletproof hosting services and self-decrypting encrypted JavaScript to evade detection, complicating efforts to combat their operations.

While this legal action disrupts ONNX's activities, Microsoft warns that other threat actors may emerge to fill the void and adapt their techniques.

Phishing emails from ONNX often contained malicious PDF attachments with QR codes that directed victims to counterfeit Microsoft 365 login pages.

A civil court order from the Eastern District of Virginia allowed Microsoft to redirect the seized domains to itself, permanently disrupting ONNX's phishing activities.

ONNX was involved in adversary-in-the-middle (AitM) phishing, which allowed attackers to bypass multi-factor authentication by intercepting user authentication.

Cybercriminals using ONNX effectively intercepted 2FA requests, complicating detection efforts and prolonging the existence of phishing domains.