Microsoft warns of an increase in malicious activity from an emerging threat cluster it is tracking Storm-0539 for orchestrating gift card fraud and theft through highly sophisticated email and SMS phishing attacks against retail entities during the holiday shopping season.
The goal of the attacks is to spread booby-trapped links that direct victims to adversary-in-the-middle (AiTM) phishing pages that are able to harvest their credentials and session token.
“After gaining access to an initial session and token, Storm-0539 registers their own device for subsequent secondary authentication prompts, bypassing MFA protections and continuing around using a fully compromised identity,” the tech giant SAYS in a series of posts on X (formerly Twitter).
Cook AI-Powered Threats with Zero Trust – Webinar for Security Professionals
Traditional security measures just won’t cut it in today’s world. It’s time for Zero Trust Security. Secure your data like never before.
The foothold obtained in this way further acts as a channel for increased privileges, later movement across the network, and access to cloud resources to obtain sensitive information, especially compliance of gift card-related services to facilitate fraud.
On top of that, Storm-0539 collects emails, contact lists, and network configurations for successive attacks against the same organizations, necessitating the need for strong credentials. hygiene practices.
Redmond, in the monthly report of Microsoft 365 Defender published last month, described the opponent as a financially motivated group active since 2021.
“Storm-0539 conducts extensive reconnaissance of target organizations to create convincing phishing lures and steal user credentials and tokens for initial access,” it said. SAYS.
“The actor is well-versed in cloud providers and uses resources from the target organization’s cloud services for post-compromise activities.”
The disclosure comes days after the company said it had obtained a court order to seize the infrastructure of a Vietnamese cybercriminal group called Storm-1152 that sold access to approximately 750 million fraudulent Microsoft accounts as well as identity verification bypass tools for other technology platforms.
Earlier this week, Microsoft also warned that many threat actors are abusing OAuth applications to automate financially motivated cyber crimes, such as business email compromise (BEC), phishing, massive spamming campaigns, and deployment of virtual machines to illegally mine cryptocurrencies.