Microsoft is alerting users to be cautious of malicious activity from an emerging threat cluster known as Storm-0539. This emerging threat is using sophisticated email & SMS phishing attempts to arrange gift card theft and fraud against retail businesses during the Christmas shopping season. The attacks aim to spread booby-trapped URLs that take victims to phishing pages that pose as adversaries-in-the-middle (AiTM) and collect session tokens and passwords.
“Storm-0539 registers their device for subsequent secondary authentication prompts, bypassing MFA protections and persisting in the environment using the fully compromised identity, after gaining access to an initial session and token,” the tech giant stated in a series of posts on X (formerly Twitter). This kind of base acquisition also serves as a means of gaining access to cloud resources, sideway network movement, and privilege hikes. All of them are crucial for obtaining sensitive data—in this case, gift card-related services—to enable fraudulent activity.
Furthermore, strong credential hygiene procedures are necessary because Storm-0539 gathers emails, contact lists, and network configurations for subsequent attacks against the same businesses. In the most recent edition of its monthly Microsoft 365 Defender report, Redmond characterized the enemy as a financially driven organization that has been operational since at least 2021.
"Storm-0539 carries out an extensive survey of targeted organizations to create convincing phishing lures and steal user credentials for initial access," it stated. "The actor is well-versed in cloud providers and leverages resources from the target organization's cloud services for post-compromise activities."
A Few days ago, the business revealed that it had obtained a court order to take over the management of Storm-1152, a Vietnamese cybercrime outfit infrastructure. This group marketed identity-bypassing tools on several digital channels, as well as nearly 750 million fictitious Microsoft accounts.
Microsoft also issued a warning earlier this week regarding the misuse of OAuth applications by various threat actors to automate financially motivated cybercrimes, including phishing, Business Email Compromise (BEC), massive spam campaigns, and the use of virtual machines to mine cryptocurrency illegally.