Executive Summary
Phishing as a Service (PhaaS) has surged in recent years, providing threat actors with ready made tools and infrastructure. In this post, we look at the techniques and patterns observed in recent campaigns.
Attackers will use these kits to perform Adversary-in-the-Middle (AitM) attacks to lure victims into authenticating an attacker held device. From here the attacker will use obfuscation techniques to hide their activity, before taking follow on actions. These actions typically consist of attempts to compromise further accounts, and attempts to exfiltrate data from the organisation.
In this case study we will review techniques and commonalities in these attacks against Azure Entra ID accounts, highlighting that attackers appear to be predominantly leveraging a small subset of Autonomous System Numbers (ASNs) to perform these attacks. An ASN represents a network entity, who will have multiple ranges of public IP address space they have announced.
We also demonstrate that blocking individual IP addresses, is not sufficient to remediate follow on attacks from the same adversary and blocking the announced prefixes (prefixes are the CIDR ranges of public IPv4 and IPv6 addresses announced by an organisation) of the ASNs known to be used in these attacks should be considered if there is no expectation of their use in your environment.
Case 1 Rockstar 2FA AitM
Via analysis of threat intelligence reports we identified that a common AitM phishing kit in use was Rockstar 2FA. Key indicators of these attacks were the ASN the activity originated from, the Application ID in use, and what values were set at login such as the "kmsi" (keep me signed in) parameter. While Rockstar 2FA is used as an example in this study, it is one of many AitM phishing toolkits in use. The surrounding tactics and techniques described in this study appear to be common across usage of many of these toolkits.
Understanding these characteristics, we developed an analytic to detect login activity consistent with attacks that leveraged this kit.
After a period of validation and threat hunting, this led to the development of our " Intercepted Azure MFA Login for User" incident.
Our threat hunting activity around these attacks identified another commonality, the use of multiple source IP addresses and in most cases multiple ASNs.
Incident 1
Initial login from IPv6 address 2a0d:5600:8[:]101:0:1:7b8f:7c91 (M247 Europe SRL AS9009), with follow on logins from the IPv6 address 2a0d:5600:8[:]a6:0:1:91a7:6bbe (M247 Europe SRL AS9009). After intervention from the victim organisation we see follow on failed login attempts from IPv4 address 23.95[.]63.213 (AS-COLOCROSSING AS36352).
Incident 2
Initial login from IPv6 address 2a0d:5600:8[:]2e:0:1:5e6a:a7f2 (M247 Europe SRL AS9009), followed by login events from IPv6 address 2a0d:5600[:]8:a6:0:1:91a7:6bbe (M247 Europe SRL AS9009).
This was then followed by logins from the IPv4 address 185.121[.]176.252 (Gwy It Pty Ltd SAS199959), with follow on activity to create a new inbox rule, access mail items, and a Teams session creation.
After the victim organisation intervened, there were then follow on failed login attempts from the IPv4 address 102.216[.]236.62 (MITL1-AS AS329099).
These cases demonstrate that blocking of individual IP addresses alone will not prevent these attacks. Attackers are leveraging multiple IP addresses, and in some cases multiple ASNs in each attack against a victim account or organisation.
Looking at the pattern of these attacks over a 90 day period (fig. 1), we see attackers using 4 ASNs to perform the initial access events in these incidents:
Global Internet Solutions LLC AS207713
M247 Europe SRL AS9009
HVC-AS AS29802
Global Connectivity Solutions AS215540
fig. 1: Graph showing the initial access events by ASN between 29th June and 28th September 2025.
With additional follow on activity observed origination from the following ASNs:
AS-COLOCROSSING AS36352
Gwy It Pty Ltd AS199959
MITL1-AS AS329099
Datacamp Limited AS212238
Case 2 Suspicious Inbox Rule Creation
Once an adversary has gained access to an account, they will commonly leverage this account to gain access to further accounts in an environment. They do this by using the initial victims account to send out phishing emails to additional users within the same organisation.
While threat hunting around malicious login activity, we identified that a common technique is to create an inbox rule to hide this follow-on activity. There are two clear types of inbox rules threat actors use.
Delete messages inbox rule:
The inbox rule name was made up of punctuation marks ".." or ";;" as two examples.
The “DeleteMessage” parameter was set to true, typically with no additional rules.
Move messages inbox rule:
The inbox rule name was made up of punctuation marks or random letters.
The " MoveToFolder" parameter was set to a folder named "RSS Feeds", "RSS Subscriptions" and "Conversation History".
These came in two variants, one with no additional rule to target all email and a second with the parameter set to target a common string or from address used in the phishing emails.
Let's look at an attack to review the pattern of activity identified surrounding an inbox rule creation event (please note all times are presented in UTC).
The telemetry fired for the creation of the inbox rule at 12:46, with a source IPv4 address 79.127[.]132.174 (Datacamp Limited AS212238). Upon investigating activity surrounding this event, we identified the following actions taking place from this IPv4 address using the victim's account:
Initial failed sign in events began at 12:22.
Successful sign in events began at 12:22.
This is then followed up by multiple Exchange “Create” events starting at 12:45.
The Exchange "Inbox Rule" creation event at 12:46, with the name being a single semicolon ";" and the "DeleteMessage" parameter set to true with no other rules.
Then multiple Exchange “Send” events starting at 12:46.
This shows an adversary gaining access to the account, creating emails, and creating the inbox rule to delete all messages. Finally, the threat actor will send out emails to other users within the organisation in attempt to gain access to additional user accounts.
From here we pivoted to look at surrounding activity by the user account, knowing that adversaries will commonly use multiple IP addresses in an attack. This led to identifying additional activity from different IPv4 addresses associated with the ASN "Cogent-174" AS174.
Multiple Exchange "Create" and "Send" events starting at 14:58 from the IPv4 address 91.124[.]17.57.
Multiple Exchange "Create" and "Send" events starting at 15:01 from the IPv4 address 102.129[.]235.17.
In this attack, we have identified the attacker using three separate IP addresses originating from two separate ASNs.
Looking at the pattern of these attacks over a 30 day period the top 5 ASNs we have identified in these attacks are:
ASN | Incidents |
Datacamp Limited AS212238 | 44 |
COGENT-174 AS174 | 20 |
ZAYO-6461 AS6461 | 12 |
Internet Utilities Europe and Asia Limited AS206092 | 8 |
GSL Networks Pty LTD AS137409 | 3 |
|
|
Key findings and recommendations
From the attacks observed across our customer base we identified key commonality in PhaaS attacks against Azure Entra ID accounts.
They always involved activity originating from multiple IP addresses, and commonly from multiple ASNs as well.
Subsequent activity almost always originated from a different IP address and ASN from that used in the initial access login events.
The adversary would attempt to hide subsequent activity by creating inbox rules to either delete email or move them to one of several folders.
We would recommend reviewing your users Azure activity to build a baseline of the source ASNs, which can be invaluable in identifying anomalous activity at the individual user level.
Azure Entra ID has several protections you can take to help mitigate phishing which we would recommend using:
Enabling Azure Entra ID Protection, designed to identify and flag risky sign in activity.
Enabling stricter Conditional Access controls for risky sign ins.
Enabling anti-phishing protections available for Microsoft 365 cloud mailboxes.
Ensuring end users are made fully aware of the risks posed by phishing attacks is key to combating these attacks. Providing your users with knowledge, via phishing awareness training, to understand the tactics and techniques employed by threat actors will help in mitigating the risks posed by these attacks.
The below ASNs have been noted in these attacks. They are legitimate hosting providers, but appear to be commonly leveraged for facilitating phishing attacks. If there is no expectation for these to be in use in the environment, you should consider proactively restricting access from them.
ASNs observed in attacks:
Global Internet Solutions LLC AS207713
M247 Europe SRL AS9009
HVC-AS AS29802
Global Connectivity Solutions AS215540
Datacamp Limited AS212238
COGENT-174 AS174
ZAYO-6461 AS6461
Internet Utilities Europe and Asia Limited AS206092
GSL Networks Pty LTD AS137409
AS-COLOCROSSING AS36352
Gwy It Pty Ltd AS199959
MITL1-AS AS329099
Mitre ATT&CK Techniques
Initial Access
T1566 Phishing
Credential Access
T1557 Adversary-in-the-Middle
Defense Evasion
T1564 Hide Artifacts
T1656 Impersonation
References
Cybercrime Intelligence Shouldn't Be Siloed
Fortra® experts are dedicated to protecting organizations and the public by delivering the latest insights, data, and defenses to strengthen security against emerging cyber threats.