FINRA Cyber Alert – ONNX Store Purportedly Targeting Firms in Quishing Attacks

IMPACT: All Firms Using Microsoft 365 (M365) – f/k/a Office 365 (O365)

Firms should review this information with any vendors who provide information technology services to the firm.

ONNX Store, a Phishing-as-a-service platform (PhaaS)1, is targeting Microsoft 365 (M365) accounts at FINRA member firms with an advanced social engineering attack known as quishing: a business email compromise (BEC) attack that uses QR codes in embedded PDF documents to redirect victims to phishing URLs.2

Threat actors leverage quishing attacks because victims will typically scan QR codes on their personal mobile devices (which the victim may use for business purposes, as part of their firms’ Bring Your Own Device (BYOD) program). As a result, these attacks are exceptionally difficult to monitor with typical endpoint detection.

Evidence indicates that ONNX Store is a revamped edition of the Caffeine PhaaS3, given the similar tactics, techniques and procedures (TTPs) leveraged by the threat actor – or threat actors – operating both platforms.

ONNX Store is particularly successful in executing BEC attacks because it:

  • uses QR codes to redirect victims to phishing sites that mimic the legitimate M365 login page, allowing for the execution of Adversary-in-the-Middle (AitM) attacks;4
  • circumvents two-factor authentication (2FA) by intercepting 2FA requests;
  • uses specific hosting services to delay the takedown of phishing domains; and
  • purportedly uses encrypted JavaScript code to further evade detection.

As part of a comprehensive cybersecurity program, member firms may consider the following effective practices:

  • Ensure IT personnel are aware of the quishing attack vector.
  • Provide end-user awareness training to warn against the threat of social engineering, including the risks associated with malicious PDF attachments and scanning QR codes.
  • Exercise caution when receiving unsolicited requests or items (e.g., QR codes, PDF attachments, hyperlinks), including those that foster a sense of urgency.
  • Avoid providing sensitive information on websites reached through an unsolicited QR code or link – instead, opt to visit sites directly by manually typing trusted website addresses into an internet browser.
  • Update email server settings to block attachments from unverified senders.
  • Shorten login token expiration times.
  • Impose additional defense in depth tactics (e.g., leverage domain name system security extensions (DNSSEC) and security monitoring tools to detect anomalous behavior).
  • Implement additional forms of multi-factor authentication (i.e., use hardware keys).

Questions related to this Alert or other cybersecurity-related topics can be emailed to the FINRA Cyber and Analytics Unit (CAU). Both the FBI and CISA urge you to promptly report phishing incidents to a local FBI Field Office, the FBI Internet Crime Complaint Center (IC3) at IC3.gov or CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870).

Note: This Alert does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve members of any existing obligations under federal securities laws and regulations. Members may consider the information in this Alert in developing new, or modifying existing, practices that are reasonably designed to achieve compliance with relevant regulatory obligations based on a member’s size and business model.

If you would like to add or change who receives this email, please update your firm’s Chief Information Security Officer (CISO), Chief Compliance Officer (CCO) and/or Chief Risk Officer (CRO) contacts in FINRA Gateway.

1 PhaaS platforms allow threat actors to purchase “kits” to perpetrate phishing attacks with little technical knowledge required. In the case of ONNX Store, threat actors can allegedly purchase the kits via Telegram bots. 

2See EclecticIQ Blog:  ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution (June 18, 2024).

3See Google Cloud Threat Intelligence: The Fresh Phish Market: Behind the Scenes of the Caffeine Phishing-as-a-Service Platform (October 10, 2022).

4 AitM attacks involve threat actors secretly intercepting or altering communication between two parties as a means to steal information or cause further harm to a victim.