Microsoft’s Digital Crimes Unit (DCU) has reported dismantling 240 fraudulent websites linked to an Egypt-based cybercrime group, thereby disrupting a key operation within the expanding “Phishing-as-a-Service” (PhaaS) industry.
Central to the threat is the rapid rise of “Adversary-in-The-Middle” (AiTM) phishing attacks, which allow attackers to intercept and manipulate communications, bypassing multifactor authentication (MFA) protections. Microsoft’s latest report revealed a 146 per cent surge in AiTM attacks in 2024, as these techniques become the favoured method for breaching secure accounts. The fraudulent ONNX operation, led by Abanoub Nady (“MRxC0DER”), leveraged AiTM tactics alongside “do-it-yourself” phishing kits to execute widespread attacks, heavily targeting the financial sector.
The kits, sold under a fraudulent ONNX brand, enabled criminals to scale their operations, bypassing advanced security measures. Distributed via platforms like Telegram, the kits followed a subscription model with varying levels of support, including step-by-step guidance. Phishing campaigns originating from these kits were among the top five globally by email volume this year, highlighting the threat’s scale and sophistication.
By obtaining a court order to take control of the malicious infrastructure, Microsoft, in partnership with LF Projects, has disrupted the operation, severing access for cybercriminals and sending a strong deterrent message.
Organisations can protect themselves by adopting advanced email filtering, deploying layered MFA solutions, and ensuring regular cybersecurity training. Vigilance and proactive defences remain critical in countering these increasingly sophisticated phishing techniques.