According to a recent report by BleepingComputer, organisations within the financial sector have been targeted in a sophisticated attack campaign since February, where employees' Microsoft 365 accounts were compromised using the ONNX phishing-as-a-service platform, suspected to be a revamped version of the Caffeine phishing kit. 

The attackers, posing as human resources departments, sent deceptive emails regarding salary updates with PDF attachments containing QR codes. Upon scanning these codes, recipients were redirected to a counterfeit Microsoft 365 login page undetected by standard phishing protections. EclecticIQ's findings reveal that login credentials and two-factor authentication tokens entered on these fake pages were extracted by the attackers for subsequent email account hijacking and data theft activities. 

The ONNX PhaaS platform, accessible through Telegram, not only offers customisable Microsoft Office 365 phishing templates and various webmail services but also employs encrypted JavaScript code, Cloudflare services, and a bulletproof hosting service to evade detection.