The Caffeine Phishing-as-a-Service (PhaaS) platform was recently reported by Mandiant security researchers. The platform is a feature rich tool available to threat groups without the typical registration, verification, or reputation requirements required in the underground economy, which is likely to increase its use among cyber threat actors. The platform currently contains templates to conduct social engineering and credential theft against a variety of targets, including Russian and Chinese speaking organizations, and will likely expand its functionality over time.
Caffeine currently costs $250 a month, and it may be a pricier subscription model due to the unlimited customer service support options and the extensive anti-detection and anti-analysis features it offers. However, the lack of verification and considerable support may indicate this platform could see significant adoption rates. If completed correctly, the final lure for Caffeine phishing kits will appear as a Microsoft 365 login page. Pages like this one are the main mechanism to drive successful credential theft during campaign operations.
Mandiant researchers have made available a number of network IOCs associated with Caffeine infrastructure, although these may change quickly:
Organizations are advised to educate users about social engineering and phishing techniques, and deploy technical and procedural controls such as email security solutions. In today’s modern threat environment with sophisticated Malware-as-a-Service (MaaS) offerings, is highly recommended to utilize a defense-in-depth cybersecurity strategy that focuses on the detection of post compromise activities, such as the MDR, Threat Hunting, and SOC services offered by Binary Defense.