What Is Caffeine / ONNX Store?

Caffeine, later rebranded as ONNX Store, was a Phishing-as-a-Service (PhaaS) platform that operated under a SaaS subscription model providing customers with ready-made AiTM phishing kits, credential harvesting pages, and campaign management infrastructure with monthly subscription fees ranging from $150-$850 before dismantlement by Microsoft in November 2024 after seizure of 256 fraudulent domains. Developed and marketed by Abanoub Nady (also known as "MRxC0DER") based in Egypt, the operation functioned under multiple brand names including Caffeine, ONNX, and FUHRER, demonstrating a pattern of rebranding to evade detection and maintain operational continuity. According to Microsoft Digital Crimes Unit reporting from November 2024, the operation was identified as "the top AiTM phishing service by volume" in the first half of 2024, competing with dozens of other PhaaS platforms for market dominance before legal action disrupted infrastructure.

The platform targeted financial services institutions specifically according to Microsoft and BleepingComputer analysis, providing adversary-in-the-middle session hijacking capabilities, real-time 2FA/MFA token interception, credential harvesting with AES-encrypted transmission, and API-based license validation enforcing subscription compliance. The November 2024 disruption through coordinated action by Microsoft, law enforcement partners, and Crowell & Moring legal representation resulted in seizure of 256 associated domains, effectively terminating centralized infrastructure and customer campaign capabilities. According to EclecticIQ and Google Cloud threat intelligence reporting, Caffeine/ONNX represented a significant PhaaS threat before disruption, generating substantial revenue and providing turnkey phishing capabilities to cybercriminals globally.

How Does Caffeine / ONNX Store Work?

Caffeine/ONNX operated as a commercial subscription service providing tiered access to phishing infrastructure and capabilities. According to Microsoft and Google Cloud analysis, the platform evolved from early Caffeine branding through a 2023 Telegram channel announcement transitioning to "ONNX Store" with updated operational models. This rebranding likely aimed to distance the new operation from detection signatures associated with the Caffeine name while maintaining core technical capabilities and customer relationships.

The subscription tier structure provided differentiated pricing based on target platforms and feature sets. According to reported pricing from Microsoft and EclecticIQ analysis, the Basic tier at $150/month targeted generic webmail platforms (Webmail Normal), the Professional tier at $200/month specialized in Office 365 environments (Office 365 Normal), and Premium/Enterprise tiers reached $550/month for advanced features including enhanced evasion capabilities and priority technical support. This tiered approach enabled market segmentation where budget-conscious attackers selected basic capabilities while sophisticated threat actors purchased premium features.

Campaign management infrastructure evolved from shared web servers in early Caffeine iterations to Telegram bot-based control systems in ONNX Store. According to Microsoft and BleepingComputer technical analysis, ONNX Store introduced dedicated Telegram bots for campaign configuration, real-time credential delivery, and technical support provision. This Telegram integration provided customers with convenient mobile-accessible interfaces for managing phishing operations without requiring direct server access or complex technical configurations.

The adversary-in-the-middle architecture enabled session hijacking capabilities. According to EclecticIQ and Google Cloud analysis, the platform positioned phishing infrastructure between victims and legitimate authentication servers, intercepting complete login flows including usernames, passwords, and critically the session tokens and MFA cookies issued after successful authentication. This comprehensive data capture enabled account access bypassing MFA entirely, as stolen session tokens represented proof that authentication already occurred.

Real-time 2FA/MFA token interception automated the bypass process. According to Microsoft analysis, when victims completed multi-factor authentication challenges believing they were authenticating to legitimate services, Caffeine/ONNX captured MFA codes and immediately validated them against actual authentication servers. The platform obtained valid authenticated sessions without requiring manual attacker intervention, enabling high-volume automated campaigns across numerous concurrent victims.

API-based license validation enforced subscription compliance and prevented unauthorized use. According to Google Cloud and technical analysis, each phishing page access triggered license verification communicating with operator-controlled central servers. This licensing system prevented customers whose subscriptions expired from continuing operations and blocked pirated copies of the platform, though it also created centralized infrastructure dependency vulnerable to disruption.

What Are the Limitations of Caffeine / ONNX Store?

Centralized Infrastructure Single Point of Failure

All customer campaign data and authentication flows depended on centralized Caffeine/ONNX infrastructure. According to Microsoft analysis from November 2024, this centralization enabled comprehensive disruption through domain seizure, as the 256 domain seizure affected all customer operations simultaneously. Distributed PhaaS architectures where customers deploy independent infrastructure demonstrate greater resilience, as law enforcement must target individual customer deployments rather than centralized operator infrastructure.

API-Based License Validation Exposure

The licensing system requiring communication with operator servers created law enforcement visibility. According to Google Cloud and Microsoft analysis, license verification traffic patterns enabled identification of operator infrastructure and customer activities. Law enforcement monitoring of licensing API traffic could identify customer IP addresses, campaign timing patterns, and operational characteristics. Expired license keys became immediately detectable, facilitating investigation of subscription payment flows and customer identification.

Known Threat Intelligence and IOC Documentation

Major security vendors including Microsoft, Proofpoint, and Google Cloud published detailed IOC (Indicator of Compromise) documentation for Caffeine/ONNX. According to Google Cloud threat intelligence reporting, this public IOC disclosure enabled rapid defensive signature development across email gateways, web proxies, and endpoint security products. Organizations subscribing to threat intelligence feeds incorporating Caffeine/ONNX indicators could block campaigns before credential harvesting occurred.

Multiple Rebranding Indicates Defensive Pressure

The pattern of rebranding from Caffeine to ONNX to FUHRER suggests continuous defensive pressure requiring operational changes. According to Microsoft and EclecticIQ analysis, rebranding typically responds to detection signature development, law enforcement investigation, or reputation damage requiring platform identity changes. This defensive rebranding cycle indicates that security vendor and law enforcement actions effectively pressured operations, forcing resource investment in rebranding rather than capability development.

Cryptocurrency Payment Trail Visibility

Subscription payments through cryptocurrency created blockchain audit trails enabling financial investigation. According to Microsoft and law enforcement analysis, blockchain transparency allows sophisticated investigators to trace cryptocurrency flows, identify exchange accounts receiving payments, and potentially attribute financial activity to individuals. While cryptocurrency provides greater anonymity than traditional payment systems, it does not provide absolute untraceability against determined investigation.

How Can Organizations Defend Against Caffeine / ONNX Store?

Threat Intelligence Integration

Organizations should integrate threat intelligence feeds including Caffeine/ONNX IOCs into email gateways, web proxies, and endpoint security products. According to Microsoft and Google Cloud guidance, security vendors maintain actively updated lists of identified Caffeine/ONNX infrastructure domains, IP addresses, and behavioral characteristics. DNS reputation services incorporating these indicators can block phishing domain resolution before page content loads. Email gateways should query threat intelligence APIs in real time to identify and quarantine messages containing Caffeine/ONNX URLs.

Hardware Security Key Deployment

FIDO2 hardware security keys provide effective defense against Caffeine/ONNX AiTM attacks. According to Microsoft and EclecticIQ security guidance, FIDO2 keys use WebAuthn protocol with cryptographic domain binding that automatically detects and refuses authentication to phishing pages. Even when Caffeine/ONNX successfully intercepts authentication flows, FIDO2 keys prevent credential use on fraudulent domains through cryptographic validation. Organizations should prioritize hardware key deployment for high-value accounts and administrative users.

Conditional Access and Risk-Based Authentication

Microsoft 365 administrators should implement Conditional Access policies detecting anomalous authentication patterns. According to Microsoft security guidance, policies should block logins from unfamiliar geographic locations, require device compliance before access, implement impossible travel detection, and enforce risk-based authentication requiring additional verification for suspicious sign-in attempts. These policies disrupt automated session token replay even when attackers possess technically valid tokens.

Email Authentication and Sender Verification

Organizations should enforce strict DMARC/SPF/DKIM policies rejecting emails failing sender authentication. According to Microsoft and Proofpoint guidance, Caffeine/ONNX phishing emails often contained sender spoofing attempting to impersonate Microsoft or organizational internal addresses. DMARC reject policies prevent spoofed emails from reaching user mailboxes. Email gateways should implement real-time sender reputation checking and sandbox URL detonation before delivery.

Browser Isolation for External Links

Deploy cloud-based browser isolation rendering external links in isolated cloud environments. According to security vendor guidance, browser isolation solutions can detect and block AiTM phishing by analyzing page behaviors in isolated environments before presenting content to users. Suspicious authentication flows or behaviors inconsistent with legitimate Microsoft services trigger alerts or block page display, protecting users from Caffeine/ONNX phishing pages.