Microsoft’s Digital Crimes Unit (DCU) has seized 240 fraudulent websites tied to a well-known cybercriminal operation that impersonated the “ONNX” brand to sell illicit services.
The operation was led by Abanoub Nady, who used the alias “MRxC0DER.” He developed and sold turnkey phishing kits that other criminals purchased and used to launch large-scale phishing campaigns aimed at compromising Microsoft customer accounts.
While many industries are at risk, financial services have been especially targeted because they process highly sensitive data and financial transactions. Breaches of this kind can cause severe real-world harm, including the theft of substantial funds and the loss of life savings for individuals.
Phishing kits like those sold by Nady contribute to the tens of millions of phishing messages Microsoft detects each month. In Microsoft’s recent Digital Defense Report, the fraudulent ONNX operation was identified among the top five phishing kit providers by email volume for the first half of 2024.
Operating much like a legitimate e-commerce vendor, Nady and his associates marketed their illicit tools through branded storefronts such as the “ONNX Store.” By dismantling this operation, Microsoft aims to disrupt the broader criminal supply chain and reduce threats including financial fraud, data theft, and ransomware.
The ONNX fraud underscores how online threats are evolving. Attackers increasingly use “Adversary-in-the-middle” (AiTM) phishing techniques, intercepting network communications to steal credentials and session cookies and thereby bypassing Multi-Factor Authentication (MFA). Microsoft reports a 146% increase in AiTM attacks, illustrating their growing use.
A recent alert from FINRA warned of a surge in AiTM attacks against financial firms, attributing much of the spike to the ONNX operation. These campaigns have included newer tactics such as QR code phishing, or “quishing,” which uses embedded QR codes to redirect victims to malicious sites.
Since September 2023, Microsoft has observed a sharp rise in phishing attempts that rely on QR codes, which now represent nearly one-quarter of email-based phishing attempts. These attacks pose unique challenges because QR codes often appear as harmless images and can be difficult for both users and some security systems to detect.
By seizing control of these domains and redirecting them to Microsoft servers, the civil court order obtained in the Eastern District of Virginia removes the technical infrastructure that facilitated these scams and prevents the sites from being used in future phishing attacks.
Microsoft coordinated this action with LF Projects, LLC, the legitimate trademark owner of ONNX. Unlike the fraudulent operation, ONNX (Open Neural Network Exchange) is an open standard for representing machine learning models that helps ensure interoperability across different hardware and software platforms.
Microsoft publicly identified Nady to hold him accountable and to deter others from undertaking similar criminal activity. Evidence collected by Microsoft traces Nady’s involvement back to 2017. Under various brand names—such as “Caffeine” and more recently “FUHRER”—he ran a “phishing-as-a-service” model that resembled legitimate subscription services, offering tiers like Basic, Professional, and Enterprise, along with an “Unlimited VIP Support” option that gave detailed guidance to buyers on running phishing campaigns.
The operation maintained visibility and ease of access through channels like Telegram, where kits were sold and administration was supported by instructional materials circulated on social media.
Microsoft acknowledges that the fight against cybercrime is ongoing and requires persistent effort. While this legal action substantially disrupts the ONNX fraud operation, the industry expects new providers and changing tactics from threat actors. Continuous vigilance, defensive improvements, and collaboration across public and private sectors remain essential.
Microsoft says it will continue refining both technical and legal approaches and working with global partners to deter and disrupt cybercrime, protecting consumers and organizations from emerging threats.
(Photo by Josue Valencia)
See also: Chinese hackers breach telcos in espionage campaign
Want to learn more about cybersecurity and the cloud from industry leaders? Attend Cyber Security & Cloud Expo, held in Amsterdam, California, and London. The event is co-located with several industry conferences including BlockX, Digital Transformation Week, IoT Tech Expo, and AI & Big Data Expo.
Explore upcoming enterprise technology events and webinars powered by TechForge.