What Is Dadsec OTT?

Dadsec OTT (Office 365 Tool) is a Phishing-as-a-Service (PhaaS) platform offering Adversary-in-the-Middle (AiTM) reverse proxy capabilities, developed and operated by threat actor group Storm-1575. First observed in May 2023, Dadsec rapidly achieved prominence in underground markets and was responsible for some of the highest phishing attack volumes tracked in 2023. The platform was subsequently rebranded as "Phoenix Panel" in late 2023, and later evolved into "Rockstar 2FA." Dadsec's rapid adoption, advanced AiTM capabilities, and massive attack volume established it as a dominant PhaaS player during its operational period.

How Does Dadsec OTT Work?

Dadsec operates as a reverse proxy positioned between victims and legitimate cloud services primarily Microsoft 365, intercepting all authentication traffic in real-time according to Microsoft Threat Intelligence and Sekoia.io.

Real-time credential and MFA interception follows eight steps. Initial phishing page delivers victim to phishing page hosted on Dadsec-provided infrastructure. Credential capture submits username and password to Dadsec phishing page. MFA detection determines if target account has MFA enabled. Live authentication relay simultaneously relays credentials to legitimate Microsoft 365 service. MFA code interception prompts victim for authentication code on phishing page when MFA is triggered. Code relay captures and instantly relays victim's MFA code from SMS, TOTP, or push notification to real service. Session token capture extracts valid session cookies and tokens while they're being generated. Full account compromise provides attacker with complete account access using valid in-use session.

Phishing infrastructure provides pre-built templates with ready-made phishing page templates for Microsoft 365 reducing setup time. Campaign management portal offers web interface for managing campaigns, tracking captured credentials, and monitoring volumes. Victim list integration provides tools to import email lists and customize phishing pages per target. Automated hosting manages domain registration, SSL certificates, and server hosting. Operational model operates as commercial PhaaS with subscription or pay-per-campaign model enabling attackers to launch operations without technical expertise. Support infrastructure provides active operator support, tool updates, and technical assistance to customers. Community features include underground forums for customer communication, feedback, and threat intelligence sharing.

Technical sophistication includes CDN and DDoS protection for infrastructure hardening to evade takedown attempts. Analytics dashboard provides real-time campaign metrics including credentials captured, MFA bypass success rate, and conversion rates. Customization options enable whitebranding, custom domain selection, and landing page customization.

How Does Dadsec OTT Compare to Other Platforms?

Against Tycoon 2FA, Tycoon is ranked #1 AiTM platform in 2024-2025 with similar capabilities and higher current prevalence, while Dadsec OTT was responsible for highest phishing volumes in 2023 as newer entrant from May 2023 versus earlier Tycoon and subsequently evolved or rebranded. Compared to NakedPages, Dadsec had highest attack volume in 2023 with more aggressive operator posture, while NakedPages has more evasion sophistication with 9 sequential redirects and more established presence from mid-2022 versus May 2023. Both use AiTM reverse proxy with Microsoft 365 focus and similar MFA bypass mechanics. Against Greatness, Dadsec has massively higher attack volume with $500 OTT activation fee and Storm-1575 operator group, while Greatness has lower cost at $120/month with more accessibility and less attack volume but broader adoption. Market position shows Dadsec as high-volume threat actor platform while Greatness is low-barrier-to-entry platform. Compared to EvilProxy, Dadsec has newer technology with higher 2023 volumes as commercial PhaaS with support, while EvilProxy has established reputation with higher-cost premium offering and longer operational history. Both offer AiTM, MFA bypass, and Microsoft 365 targeting.

Dadsec/Phoenix/Rockstar 2FA evolution shows Dadsec OTT launching May 2023 with highest 2023 volumes, Phoenix Panel in late 2023 rebranding maintaining operational continuity, and Rockstar 2FA in 2024 iteration appearing as merger or evolution with Tycoon 2FA infrastructure.

Top PhaaS Platforms by 2023 Volume: 1. Dadsec OTT (highest phishing volumes), 2. Tycoon 2FA (sustained high volume), 3. NakedPages (consistent top-5 platform), 4. Greatness (growing adoption), 5. EvilProxy (established player).

Why Does Dadsec OTT Matter?

Launch occurred May 2023 with first observation. Peak activity reached October 2023 documented as highest phishing volume performer. Rebranding to Phoenix Panel occurred late 2023. Evolution to Rockstar 2FA happened in 2024 with possible Tycoon 2FA merger. Current status shows operators continue operations under new brand names.

Volume and prevalence statistics include domain scale with more than 1,000 different domains identified using Dadsec service according to eSentire count. 2023 peak saw Microsoft track Dadsec as responsible for some of the highest volumes of phishing attacks since its May 2023 launch. Campaign frequency showed high volume of concurrent campaigns throughout late 2023. Active infrastructure maintained hundreds of active phishing servers by platform operators.

Pricing and access model charged $500 USD one-time activation fee purchased with Bitcoin or PerfectMoney. Accessibility advertised on underground forums, Telegram channels, and dark web marketplaces. Target market attracted broader threat actor base with managed service model and support.

Geographic targeting focused primarily on North America and Western Europe with secondary focus on Australia, Canada, and New Zealand. Multi-language support indicates global operations. Target organization types include enterprise organizations using Microsoft 365, mid-market companies with less sophisticated security, education sector, government and public sector agencies, and healthcare and financial institutions.

Competitive ecosystem context in 2023 according to Trustwave Financial Services analysis showed top PhaaS platforms by 2024 as: 1. Caffeine, 2. Tycoon, 3. Greatness, 4. NakedPages, 5. Dadsec (at time of documentation). Dadsec's exceptional 2023 volume placement suggests potential for ranking higher if metrics were updated.

What Are the Limitations of Dadsec OTT?

High operational visibility with massive phishing volume of 1,000+ domains creates substantial forensic footprint and threat intelligence tracking opportunities. Infrastructure fragility shows large number of phishing servers and domains increases exposure to takedown operations, ISP abuse complaints, and registrar de-listings. Community reliance means PhaaS model depends on satisfied customers with poor campaigns or infrastructure outages damaging reputation and driving migration to competitors. Payment traceability sees cryptocurrency payments create blockchain analysis opportunities for law enforcement with some customers' wallets potentially identified. Operator burnout occurs managing 1,000+ active domains and supporting growing customer base requiring significant staffing and creating operational strain. API dependency means MFA bypass relies on Microsoft 365 API behavior with API hardening, authentication changes, or Microsoft's detection improvements directly impacting effectiveness. Detection signature accumulation shows high volume of phishing pages creates many detectable artifacts with antivirus and email security vendors quickly adding signatures. Law enforcement pressure attracts FBI, Europol, and international law enforcement attention as high-profile operation. Session token expiration limits stolen tokens to hours to days requiring rapid exploitation by customers. Customer churn risk sees some customers inevitably arrested, caught by EDR, or turning to competing platforms.

How Can You Defend Against Dadsec OTT?

Detection and threat intelligence monitors known Dadsec/Phoenix/Rockstar 2FA domain registrations and IP ranges, subscribes to feeds tracking Dadsec campaigns and infrastructure takedowns, hunts for logins from compromised Dadsec campaigns in organizational logs, identifies accounts showing signs of AiTM compromise including unusual login patterns, forwarding rules, and OAuth grants, and coordinates with FBI, local law enforcement, and Microsoft on reporting suspected compromises.

Email and authentication security enforces DKIM/SPF/DMARC for strict email authentication preventing domain spoofing, deploys Microsoft Defender for Office 365 ATP with link and attachment detonation, implements URL rewriting for safe links and URL rewriting preventing direct phishing link clicks, enforces phishing-resistant MFA with hardware security keys or Windows Hello/FIDO2 authenticators, and deploys conditional access with risk-based policies flagging impossible travel and unusual authentication patterns.

Microsoft 365 hardening configures session timeout with aggressive session limits of 15-30 minutes for sensitive accounts, enables anomalous access alerts with Microsoft's risk-based sign-in detection, implements email forwarding restrictions to block or monitor email forwarding rules, governs OAuth by restricting dangerous consent grants and auditing existing OAuth applications, protects admin accounts with dedicated admin accounts using enhanced MFA and separate devices, and deploys priority account protection with enhanced monitoring for high-value accounts including executives, finance, and IT.

Incident response and forensics implements credential reset with immediate password reset for potentially compromised accounts, session revocation terminating all active sessions to force re-authentication, mailbox audit reviewing sent items, forwarding rules, OAuth consents, and delegates, access log analysis identifying suspicious login locations, times, and user agents, lateral movement hunting checking for compromise spread to other accounts, and retention review ensuring audit logs retained for forensic analysis.