In Cyberworld a new phishing-as-a-Service Platform named Caffeine is a threat to Microsoft 365 users because Threat actors can easily launch attacks due to the “Caffeine” phishing-as-a-service (PhaaS) platform.
Caffeine doesn’t require invites or referrals, nor does it require wannabe threat actors to get approval from an admin on Telegram or a hacking forum. Due to this, it removes much of the friction that characterizes almost all platforms of this kind.
While investigating phishing activity Mandiant Security researchers discovered malicious actors using a shared Phishing-as-a-Service (PhaaS) platform called “Caffeine”.
Another distinctive characteristic of Caffeine is that its phishing templates target Russian and Chinese platforms, whereas most PhaaS platforms tend to focus on lures for Western services.
Caffeine is somewhat unique in that it features an entirely open registration process, allowing just about anyone with an email to register for their services instead of working directly through narrow communication channels (such as underground forums or encrypted messaging services) or requiring an endorsement or referral through an existing user.
Next, the operators must purchase a subscription license, which costs $250 per month, $450 for three months, or $850 for six months, depending on the features.
In terms of phishing options, some of the advanced features offered by the platform include:
- Mechanisms to customize dynamic URL schemas to assist in dynamically generating pages pre-populating with victim-specific information.
- First-stage campaign redirect pages and final lure pages.
- IP blocklisting options for geo-blocking, CIDR range-based blocking, etc.
As is typical of most modern SaaS platforms, Caffeine does not support perpetual use licenses and is wholly subscription based. Additionally, as modern subscription-based software design doctrine dictates, Caffeine offers three different tiers of service.
Caffeine offers several phishing template options, including Microsoft 365 and various lures for Chinese and Russian platforms. Mandiant believes more will be added soon.
It is also important to keep in mind that defensive measures against PhaaS attacks can be a game of cat and mouse. As quickly as threat actor infrastructure gets taken down, new infrastructure can be spun up.
While Cybersecurity firm Mandiant gives detection guidance for catching Caffeine-backed phishing emails.
Now Caffeine is also added to the list of yet another alternative to low-skill cyber criminals who are looking for automated platforms, and if more templates are added to its collection that could become a bigger problem.