Skip links

Caffeine service lets anyone launch Microsoft 365 phishing attacks



A phishing-as-a-service (PhaaS) platform named ‘Caffeine’ makes it easy for threat actors to launch attacks, featuring an open registration process allowing anyone to jump in and start their own phishing campaigns.

Caffeine doesn’t require invites or referrals, nor does it require wannabe threat actors to get approval from an admin on Telegram or a hacking forum. Due to this, it removes much of the friction that characterizes almost all platforms of this kind.

Another distinctive characteristic of Caffeine is that its phishing templates target Russian and Chinese platforms, whereas most PhaaS platforms tend to focus on lures for Western services.

Mandiant’s analysts discovered and tested Caffeine thoroughly, and today report that it’s a worryingly feature-rich PhaaS considering its low barrier for entry.

The cybersecurity firm first spotted Caffeine after investigating a large-scale phishing campaign run through the service, targeting one of Mandiant’s clients to steal Microsoft 365 account credentials.

Fueling phishing campaigns

Caffeine requires account creation, after which the operator gets immediate access to the “Store,” which contains phishing campaign-creation tools and an overview dashboard.

Caffeine’s main dashboard (Mandiant)

Next, the operators must purchase a subscription license, which costs $250 per month, $450 for three months, or $850 for six months, depending on the features.

Caffeine promoted on a hacker forum (Mandiant)

That’s roughly 3-5 times the typical PhaaS subscription cost, and Caffeine attempts to make up for it by offering anti-detection and anti-analysis systems and customer support services.

In terms of phishing options, some of the advanced features offered by the platform include:

Mechanisms to customize dynamic URL schemas to assist in dynamically generating pages pre-populating with victim-specific information.
First-stage campaign redirect pages and final lure pages.
IP blocklisting options for geo-blocking, CIDR range-based blocking, etc.

Blocking options to filter out bot traffic (Mandiant)

After setting the main phishing campaign parameters, the operators will have to deploy the phishing kit, which is currently limited to a Microsoft 365 login page, and then select a phishing template.

The Microsoft 365 phishing page used by the phishing kit (Mandiant)

Caffeine offers several phishing template options, including Microsoft 365 and various lures for Chinese and Russian platforms. Mandiant believes more will be added soon.

Template targeting Chinese users (Mandiant)

The platform also allows operators to use its own Python or PHP-based email management utility to send out phishing emails to their targets, reducing the need for external tools.

Caffeine’s PHP email sender utility (Mandiant)

While Mandiant gives detection guidance for catching Caffeine-backed phishing emails, the analysts highlight the possibility of the crooks adopting new evasion techniques that could render that report’s section obsolete.

Sadly, Caffeine is yet another option added to the choices available to low-skill cyber criminals on the look for automated platforms, which could become a bigger problem if more templates are added to its collection.

Adblock test (Why?)