Hackers are leveraging compromised Microsoft 365 accounts to significantly enhance a phishing operation dubbed CodeStorm. By utilizing legitimate Microsoft 365 accounts, these attackers bypass traditional security measures, making their phishing attempts more convincing and dangerous.
Innovative Phishing Techniques
Instead of fabricating fake infrastructures, attackers are repurposing genuine M365 accounts. This method allows them to send emails that easily evade security filters, increasing the likelihood of recipients engaging with malicious content. A common tactic involves sending emails that mimic legitimate Microsoft notifications, complete with detailed voicemail messages and authentic-looking branding.
To further mislead security systems, a block of irrelevant email thread content is appended to these messages, tricking filters into categorizing them as low-risk interactions. This strategic deception greatly enhances the effectiveness of the phishing attempt.
Advanced Credential Replay
Research conducted by ZeroBEC highlights the evolving sophistication of the CodeStorm phishing kit. It not only collects user credentials but also actively replays them against Microsoft’s live identity systems in real-time. This approach allows attackers to mimic legitimate login behavior, effectively bypassing multi-factor authentication protocols.
The phishing flow includes a Cloudflare Turnstile challenge to deter automated scanners. The landing page also checks for developer tools or automation cues, redirecting suspicious traffic to legitimate Microsoft sites to avoid detection.
Defending Against CodeStorm
The infrastructure used by CodeStorm is designed to rotate frontend domains while maintaining a stable backend. This setup supports the full Microsoft MFA workflow, making it versatile against various authentication methods. Security teams are advised to track suspicious email patterns, such as identical From, To, and Return-Path headers with appended unrelated threads, to detect potential CodeStorm activities.
Additionally, monitoring network activity for cross-site POST requests targeting specific paths can provide early indicators of compromise. In Microsoft Entra, particular attention should be given to sign-in failures with error codes shortly after phishing attempts, as these may signal unauthorized access attempts from unexpected locations.
The CodeStorm campaign underscores the importance of robust email security practices and vigilant monitoring to prevent the misuse of compromised accounts. As phishing tactics evolve, staying informed and adopting proactive security measures are crucial in safeguarding sensitive information.
