Caffeine: A Phishing Kit Aimed at Stealing Microsoft 365 Details

Researchers at Mandiant discovered a new Phishing-as-a-service (PhaaS) called Caffeine – that allows anyone to buy its kit to launch phishing attacks.

Currently, the templates only target Microsoft Office 365 login pages and mostly concern the Russian and Chinese themes. But, researchers warn authors to add more templates gradually to expand the scope of this kit.

An Easy-to-Use Phishing Kit

Phishing is one of the most simplest means of attacking someone with a carefully crafted page and nothing else. As it requires deep editing of all the elements on the phishing page, several services exist to offer such customized templates for a certain fee and only for certain people.

But evading the target group, a service called Caffeine showed up – that’s letting anyone register their account for free and start using their phishing kit to steal Microsoft Office 365 credentials. This was discovered by Mandiant researchers in an analysis of one of their clients, who were targeted by Caffeine.

As they noted, Caffeine doesn’t require invites or referrals, nor approval from an admin on Telegram or a hacking forum. All you need to do is to register on its platform and buy the desired templates from its “Store”. They’re mostly made to target Russian and Chinese platforms, unlike the other PhaaS services targeting western entities.

The price of purchasing a kit (subscription license) costs $250 a month, $450 for three months, or $850 for six months, depending on the features. It includes anti-detection, anti-analysis systems, and customer support services for this price – which is roughly 3-5 times that of a typical PhaaS kit. Well, it offers more, too, as below;

  • Mechanisms to customize dynamic URL schemas to assist in dynamically generating pages pre-populating with victim-specific information.
  • First-stage campaign redirect pages and final lure pages.
  • IP blocklisting options for geo-blocking, CIDR range-based blocking, etc.

Buyers (operators) need to configure their phishing campaign parameters and deploy the phishing kit, which is currently limited to a Microsoft 365 login page. But researchers warn that the kit authors may add more templates soon. It even lets the operators use their own Python or PHP-based email management utility for better integration.

LEAVE A REPLY

Please enter your comment!
Please enter your name here