Cybercriminals are leveraging compromised Microsoft 365 (M365) accounts to enhance the effectiveness of a sophisticated phishing campaign known as CodeStorm. By utilizing legitimate M365 accounts, attackers can bypass traditional email security measures, increasing the likelihood that their malicious emails reach intended targets.
The CodeStorm campaign begins with phishing emails that mimic authentic Microsoft communications, such as voicemail notifications. These emails are meticulously crafted, featuring elements like call durations, reference IDs, and branded buttons labeled “OPEN VOICEMAIL PORTAL.” To further evade detection, the emails include extensive, unrelated email threads designed to deceive automated scanning systems into classifying them as benign business correspondence.
Security researchers have identified that the CodeStorm phishing kit has evolved to incorporate tenant-aware credential replay capabilities. This advancement allows attackers to not only harvest user credentials but also to replay them in real-time against Microsoft’s identity infrastructure. By doing so, they can mimic legitimate sign-in behavior, effectively bypassing multi-factor authentication (MFA) mechanisms.
Upon clicking the malicious link, victims are directed to a landing page protected by Cloudflare’s Turnstile challenge, which filters out automated scanners. The page also conducts checks for browser developer tools and automation indicators, redirecting to a legitimate Microsoft URL if any suspicious activity is detected. This multi-layered anti-analysis approach distinguishes CodeStorm from more rudimentary credential-harvesting schemes.
The campaign’s infrastructure employs rotating frontend domains while maintaining a consistent backend controller. Communication between the phishing kit and the backend involves specific actions: ‘do=check’ for identity discovery, ‘do=login’ for credential submission, and ‘do=verify’ to trigger MFA. This design supports the full spectrum of Microsoft’s MFA workflows, including Authenticator push notifications, SMS one-time codes, voice calls, and recovery codes, ensuring compatibility with various authentication methods a victim might use.
By exploiting compromised M365 accounts, the CodeStorm campaign gains inherent legitimacy. Emails sent from these genuine accounts pass authentication checks such as SPF, DKIM, and DMARC, making them more likely to reach recipients’ inboxes. Additionally, the phishing kit reuses identical email threads across multiple victim tenants, altering only the organization name per target while keeping the rest of the content unchanged.
The backend controller performs live home-realm discovery against Microsoft’s identity infrastructure. When a victim submits their credentials, the ‘do=login’ action replays them in real-time, allowing attackers to gain unauthorized access to the victim’s M365 account.
This development underscores the evolving sophistication of phishing campaigns and the critical need for organizations to implement robust security measures. Regular user training, advanced email filtering solutions, and vigilant monitoring of account activities are essential to mitigate the risks associated with such attacks.
