Microsoft is warning of an uptick in malicious activity from an emerging threat cluster it’s tracking as Storm-0539 for orchestrating gift card fraud and theft via highly sophisticated email and SMS phishing attacks against retail entities during the holiday shopping season.
The goal of the attacks is to propagate booby-trapped links that direct victims to adversary-in-the-middle (AiTM) phishing pages that are capable of harvesting their credentials and session tokens.
“After gaining access to an initial session and token, Storm-0539 registers their device for subsequent secondary authentication prompts, bypassing MFA protections and persisting in the environment using the fully compromised identity,” the tech giant said in a series of posts on X (formerly Twitter).
The foothold obtained in this manner is a conduit for escalating privileges, moving laterally across the network, and accessing cloud resources to grab sensitive information, specifically going after gift card-related services to facilitate fraud.
On top of that, Storm-0539 collects emails, contact lists, and network configurations for follow-on attacks against the same organizations, necessitating robust credential hygiene practices.
In its monthly Microsoft 365 Defender report published last month, Redmond described the adversary as a financially motivated group that has been active since at least 2021.
“Storm-0539 carries out extensive reconnaissance of targeted organizations to craft convincing phishing lures and steal user credentials and tokens for initial access,” it said.
“The actor is well-versed in cloud providers and leverages resources from the target organization’s cloud services for post-compromise activities.”
The disclosure comes days after the company said it obtained a court order to seize the infrastructure of a Vietnamese cybercriminal group called Storm-1152 that sold access to approximately 750 million fraudulent Microsoft accounts as well as identity verification bypass tools for other technology platforms.
Earlier this week, Microsoft also warned that multiple threat actors are abusing OAuth applications to automate financially motivated cyber crimes, such as business email compromise (BEC), phishing, large-scale spamming campaigns, and deploying virtual machines to illicitly mine for cryptocurrencies.