During tax season, threat actors reliably take advantage of the urgency and familiarity of time-sensitive emails, including refund notices, payroll forms, filing reminders, and requests from tax professionals, to trick targets into opening malicious attachments, scanning QR codes, or following multi-step link chains. Every year, there is an observable uptick in tax-themed campaigns as Tax Day (April 15) approaches in the United States, and this year is no different.

In recent months, Microsoft Threat Intelligence identified email campaigns using lures around W-2, tax forms, or similar themes, or posing as government tax agencies, tax services firms, and relevant financial institutions. Many campaigns target individuals for personal and financial data theft, but others specifically target accountants and other professionals who handle sensitive documents, have access to financial data, and are accustomed to receiving tax-related emails during this period.

Identified campaigns were designed to harvest credentials or deliver malware. Phishing-as-a-service (PhaaS) platforms continue to be prevalent, enabling highly convincing credential theft and multifactor authentication (MFA) bypass campaigns through tailored tax-themed social engineering lures, attachments, and phishing pages. In cases of malware delivery, we noted a continued trend of abusing legitimate remote monitoring and management tools (RMMs), which allow threat actors to maintain persistence on a compromised device or network, enable an alternative command-and-control method, or, in the case of hands-on-keyboard attacks, use as an interactive remote desktop session.

This blog details several of the campaigns observed by Microsoft Threat Intelligence in the past few months that leveraged the tax season for social engineering. By educating users about phishing lures, configuring essential email security settings, and defending against credential theft, individuals and organizations can defend against both this seasonal surge in phishing attacks and more broadly against many types of phishing attacks that we observe.

A wide range of tax-themed campaigns

CPA lures leading to Energy365 phishing kit

In early February 2026, we observed a campaign that was delivering the Energy365 PhaaS phishing kit and used tax and Certified Public Accountant (CPA) lures throughout the attack chain. This campaign stood out due to its highly specific lure customization, in contrast to other threat actors who use this popular phishing kit but employ generic lures. Other notable characteristics of this campaign include the involvement of multiple file formats such as Excel and OneNote, use of legitimate infrastructure such as OneDrive, and multiple rounds of user interaction, all attempts to complicate automated and reputation-based detection. While this specific campaign was not large, it represents the capabilities of Energy365, one of the leading phishing kits that enables hundreds of thousands of malicious emails observed by Microsoft daily.

Between February 5 and 6, several hundred emails with the subject ”See Tax file” targeted multiple industries including financial services, education, information technology (IT), insurance, and healthcare, primarily in the United States. The Excel attachment had the file name [Accountant’s name] CPA.xlsx, using the name of a real accountant (likely impersonated in this campaign without their knowledge). The attachment contained a clickable “REVIEW DOCUMENTS” button that linked to a OneNote file hosted on OneDrive.

The OneNote file, which continued the ruse by using the same CPA’s name and logo, contained a link leading to a malicious landing page that hosted the Energy365 phishing kit and attempted to harvest credentials such as email and password.

QR code and W2 lure leading to SneakyLog phishing kit

On February 10, 2026, Microsoft Threat Intelligence observed tax-themed phishing emails sent to approximately 100 organizations, in the manufacturing, retail, and healthcare industries primarily in the United States. The emails used the subject “2025 Employee Tax Docs” and contained an attachment named 2025_Employee_W-2  .docx. The attachment had content that mentioned various tax-related terms like Form W-2 and had a QR code pointing to a phishing page.

Each document was customized to contain the recipient’s name, and the URL hidden behind the QR code also contained the recipient’s email address. This means that each recipient received a unique attachment. The phishing page was built with the SneakyLog PhaaS platform and mimicked the Microsoft 365 sign-in page to steal credentials. SneakyLog, which is also known as Kratos, has been around since at least the beginning of 2025. This phishing kit is sold as a part of phishing-as-a-service and is capable of harvesting credentials and 2FA. While not as popular as other platforms like Energy365, SneakyLog has been consistently present in the threat landscape.

Form 1099-themed phishing delivering ScreenConnect

In January and February 2026, Microsoft Threat Intelligence observed sets of tax-themed domains registered, likely to be used in tax-themed phishing campaigns. These domains used keywords such as “tax” and “1099form” and also impersonated specific legitimate companies involved in tax filing, accounting, investing sectors. Brand abuse of legitimate accounting, tax preparation, finance, bookkeeping, and related companies continues to proliferate during tax season.

We observed one of these domains being used in a campaign between February 8 and February 10. Several hundred emails were sent to recipients in a wide range of industries primarily in the United States. The emails used subject lines like “Your Account Now Includes Updated Tax Forms [RF] 1234” or “Your Form 1099-R is ready – [RF] 12123123”. The email body said “2025 Tax Forms is ready” and contained a clickable “View Tax Forms” button that linked to the URL taxationstatments2025[.]com. If clicked, this domain redirected to tax-statments2025[.]com, which in turn served a malware executable named 1099-FR2025.exe.

The payload delivered in this campaign is the remote management and monitoring (RMM) tool ScreenConnect, signed by ConnectWise. The specific code signing certificate has since been revoked by the issuer due to high abuse. ScreenConnect is a legitimate tool, but threat actors have learned to abuse RMM functionality and essentially turn legitimate tools into remote access trojans (RATs), helping them take control of compromised devices.

IRS and cryptocurrency-themed phishing delivering SimpleHelp

Another notable campaign combined the impersonation of the US Internal Revenue Service (IRS) with a cryptocurrency lure. Notably, this campaign attempted to evade detection by not including a clickable link, but instead asked recipients to copy and paste a URL, which was in the email body, into the browser.

This campaign was sent on February 23 and 27, and it consisted of several thousands of emails sent to recipients exclusively in the United States. The emails targeted many industries, with the bulk of email sent to higher education. The emails used the subject “IR-2026-216” and abused online platform Eventbrite to masquerade as coming from the IRS:

• “IRS US”<noreply@campaign[.]eventbrite[.]com>
• “IRS GOV”<noreply@campaign[.]eventbrite[.]com>
• “Service”<noreply@campaign[.]eventbrite[.]com>
• “IRS TAX”<noreply@campaign[.]eventbrite[.]com>
• “.IRS.GOV”<noreply@campaign[.]eventbrite[.]com>

The email body said “Cryptocurrency Tax Form 1099 is Ready” and contained a non-clickable URL with the domain irs-doc[.]com or gov-irs216[.]net. If pasted in the browser, the URL led to the download of IRS-doc.msi, which was either the RMM tool ScreenConnect or SimpleHelp, depending on the day of the campaign. SimpleHelp is another legitimate remote monitoring and management tool abused by threat actors. While not as popular as ScreenConnect, threat actors have been increasingly adopting SimpleHelp due to the recent crackdown on abuse of ScreenConnect by ConnectWise.

Campaign targeting CPAs and delivering Datto

Like in previous tax seasons, Microsoft Threat Intelligence observed email campaigns specifically targeting accountants and related organizations. A variant of this campaign is a well-known and documented technique that uses benign conversation starters. The threat actor reaches out asking for assistance in filing taxes, asking for a quote, and typically providing a backstory. If the actor receives a reply, they send a malicious link that leads to the installation of various RATs. However, Microsoft Threat Intelligence also observed campaigns targeting CPAs that contain a similar backstory but include the malicious link in the first email.

One such campaign was sent on March 9 and consisted of approximately 1,000 emails sent to users exclusively in the United States. The emails targeted multiple accounting companies but also included a few related industries such as financial services, legal, and insurance. The emails used the subject “REQUEST FOR PROFESSIONAL TAX FILLING”.

The email provided a backstory that included a description of a complex tax return situation involving tax audit, university tuition, loan interest, and real estate income. The sender also attempted to explain their inability to physically visit the office due to travel. Finally, the sender asked for a price quote. We observed variations of the backstory on different days, including switching CPAs due to fee increases.

The link in email used the free site hosting service carrd[.]co. The site contained a simple “VIEW DOCUMENTS” button that linked to a URL shortener service, which redirected users to private-adobe-client[.]im. This uncomplicated redirection chain served to hinder automated detection by using legitimate sites with good reputation and involving user interaction. The final landing page served an executable related to the Datto. Datto is yet another legitimate remote monitoring and management tool, abused by threat actors.

IRS-themed campaign targeting accounting professionals and dropping ScreenConnect

On February 10, 2026, Microsoft Threat Intelligence observed a large-scale phishing campaign sent to more than 29,000 users across 10,000 organizations, almost exclusively focused on targets in the United States (95% of targets). The campaign did not concentrate on any single sector but instead included a wide set of industries, with financial services (19%), technology and software (18%), and retail and consumer goods (15%) being the most commonly targeted.

While the campaign did not seem to have been targeting a specific industry, an analysis of intended recipients indicated that the campaign was targeting specific roles, particularly accountants and tax preparers. Messages in the campaign were sent in two waves over a nine‑hour window between 10:35 UTC and 19:51 UTC.  

The emails impersonated the IRS, claiming that potentially irregular tax returns had been filed under the recipient’s Electronic Filing Identification Number (EFIN). Recipients were instructed to review these returns by downloading a purportedly legitimate “IRS Transcript Viewer.”

The emails were sent through Amazon Simple Email Service (SES) from one of two sender addresses on edud[.]site, a domain registered in August 2025. To enhance credibility, the sender display name rotated among the following 14 IRS‑themed identities:

• IRS e-File Services
• IRS EFIN Team
• IRS EFIN Compliance
• IRS e-Services
• IRS E-File Operations
• IRS Filing Review
• IRS Filing Support
• IRS EFIN Support
• IRS e-Services Team
• IRS e-File Support
• IRS EFIN Review
• IRS e-File Compliance
• IRS e-Services Support
• IRS Practitioner e-Services

Similarly, the subject lines used in the campaign also rotated, presumably to try and circumvent detection systems that rely on static text signatures. The most common among the 49 email subjects we observed in this campaign include:

• IRS Request Transcript Review
• IRS Notice Firm Return Review
• CPA Compliance Review
• IRS Support Firm Filing Review
• Review Requested Compliance

The emails contained a “Download IRS Transcript View 5.1” button, which purported to lead to a legitimate IRS application that could be used to review the transcript referenced in the email. Instead, the link pointed to an Amazon SES click‑tracking URL (awstrack[.]me), which then redirected to smartvault[.]im, a malicious look‑alike domain mimicking SmartVault, a well‑known tax and document‑management service used by accounting professionals. To evade automated analysis, the phishing site used Cloudflare for bot detection and blocking. Only visitors who resembled human users would be able to reach the final phishing payload, while traffic from crawlers and sandboxes would result in a block page.

Users who passed the bot check would be shown a fake “verification” animation that indicated the IRS website was conducting an automated check to verify the connection with IRS provider services. After this animation, a user would be shown a page indicating that the supposed transcript viewer application would start downloading automatically before being redirected to the legitimate IRS provider services webpage. The downloaded file, named TranscriptViewer5.1.exe, was not a legitimate IRS tool but a maliciously repackaged ScreenConnect remote access tool (RAT). Upon execution, this payload could grant attackers remote control of the victim system, enabling data theft, credential harvesting, and further post‑exploitation activity.

How to protect users and organization against tax-themed campaigns

To defend against social engineering campaigns that leverage the surge in email activity during Tax Season, Microsoft recommends the following mitigation measures:

• Configure automatic attack disruption in Microsoft Defender XDR. Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization’s assets, and provide more time for security teams to remediate the attack fully.
• Enforce multifactor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA from all devices in all locations at all times.
• Use the Microsoft Authenticator app for passkeys and MFA, and complement MFA with conditional access policies, where sign-in requests are evaluated using additional identity-driven signals.
• Conditional access policies can also be scoped to strengthen privileged accounts with phishing resistant MFA.
• Enable Zero-hour auto purge (ZAP) in Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
• Configure Microsoft Defender for Office 365 Safe Links to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow and time-of-click verification of URLs and links in email messages, other Microsoft Office applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
• Invest in advanced anti-phishing solutions that monitor and scan incoming emails and visited websites. For example, organizations can leverage web browsers like Microsoft Edge that automatically identify and block malicious websites, including those used in this phishing campaign, and solutions that detect and block malicious emails, links, and files.
• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
• Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.

Microsoft Defender detection and hunting guidance

Microsoft Defender customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Microsoft Security Copilot

Microsoft Security Copilot is embedded in Microsoft Defender and provides security teams with AI-powered capabilities to summarize incidents, analyze files and scripts, summarize identities, use guided responses, and generate device summaries, hunting queries, and incident reports.

Customers can also deploy AI agents, including the following Microsoft Security Copilot agents, to perform security tasks efficiently:

• Threat Intelligence Briefing agent
• Phishing Triage agent
• Threat Hunting agent
• Dynamic Threat Detection agent

Security Copilot is also available as a standalone experience where customers can perform specific security-related tasks, such as incident investigation, user analysis, and vulnerability impact assessment. In addition, Security Copilot offers developer scenarios that allow customers to build, test, publish, and integrate AI agents and plugins to meet unique security needs.

Threat intelligence reports

Microsoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments:

• Threat Overview Profile: On-premises credential theft
• Technique Profile: Abuse of remote monitoring and management tools

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following advanced hunting queries to find related activity in their networks:

Find email messages related to known domains

The following query checks domains in Defender XDR email data:

EmailUrlInfo  
| where UrlDomain has_any ("taxationstatments2025.com", "irs-doc.com", "gov-irs216.net", "private-adobe-client.im", "edud.site", "smartvault.im")

Detect file hash indicators in email data

The following query checks hashes related to identified phishing activity in Defender XDR data:

let File_Hashes_SHA256 = dynamic([
"45b6b4db1be6698c29ffde9daeb8ffaa344b687d3badded2f8c68c922cdce6e0", "d422f6f5310af1e72f6113a2a592916f58e3871c58d0e46f058d4b669a3a0fd8"]);
DeviceFileEvents
| where SHA256 has_any (File_Hashes_SHA256)

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

The following queries use Sentinel Advanced Security Information Model (ASIM) functions to hunt threats across both Microsoft first-party and third-party data sources. ASIM also supports deploying parsers to specific workspaces from GitHub, using an ARM template or manually.

Detect network IP and domain indicators of compromise using ASIM

The following query checks IP addresses and domain IOCs across data sources supported by ASIM network session parser:

//IP list and domain list- _Im_NetworkSession
let lookback = 30d;
let ioc_ip_addr = dynamic([]);
let ioc_domains = dynamic(["taxationstatments2025.com", "irs-doc.com", "gov-irs216.net", "private-adobe-client.im"]);
_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),
  EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor

Detect Web Sessions IP and file hash indicators of compromise using ASIM

The following query checks IP addresses, domains, and file hash IOCs across data sources supported by ASIM web session parser:

//IP list - _Im_WebSession
let lookback = 30d;
let ioc_ip_addr = dynamic([]);
let ioc_sha_hashes =dynamic(["45b6b4db1be6698c29ffde9daeb8ffaa344b687d3badded2f8c68c922cdce6e0"]);
_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)
| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),
  EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor

Detect domain and URL indicators of compromise using ASIM

The following query checks domain and URL IOCs across data sources supported by ASIM web session parser:

// file hash list - imFileEvent
// Domain list - _Im_WebSession
let ioc_domains = dynamic(["taxationstatments2025.com", "irs-doc.com", "gov-irs216.net", "private-adobe-client.im"]);
_Im_WebSession (url_has_any = ioc_domains)

Detect files hashes indicators of compromise using ASIM

The following query checks IP addresses and file hash IOCs across data sources supported by ASIM file event parser:

// file hash list - imFileEvent
let ioc_sha_hashes = dynamic(["45b6b4db1be6698c29ffde9daeb8ffaa344b687d3badded2f8c68c922cdce6e0"]);
imFileEvent
| where SrcFileSHA256 in (ioc_sha_hashes) or
TargetFileSHA256 in (ioc_sha_hashes)
| extend AccountName = tostring(split(User, @'')[1]), 
  AccountNTDomain = tostring(split(User, @'')[0])
| extend AlgorithmType = "SHA256"

Indicators of compromise

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threuat Intelligence podcast.

The post When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures appeared first on Microsoft Security Blog.

In mid-January 2026, Microsoft Defender Experts identified a credential theft campaign that uses fake virtual private network (VPN) clients distributed through search engine optimization (SEO) poisoning. The campaign redirects users searching for legitimate enterprise software to malicious ZIP files on attacker-controlled websites to deploy digitally signed trojans that masquerade as trusted VPN clients while harvesting VPN credentials. Microsoft Threat Intelligence attributes this activity to the cybercriminal threat actor Storm-2561.

Active since May 2025, Storm-2561 is known for distributing malware through SEO poisoning and impersonating popular software vendors. The techniques they used in this campaign highlight how threat actors continue to exploit trusted platforms and software branding to avoid user suspicion and steal sensitive information. By targeting users who are actively searching for enterprise VPN software, attackers take advantage of both user urgency and implicit trust in search engine rankings. The malicious ZIP files that contain fake installer files are hosted on GitHub repositories, which have since been taken down. Additionally, the trojans are digitally signed by a legitimate certificate that has since been revoked.

In this blog, we share our in-depth analysis of the tactics, techniques, and procedures (TTPs) and indicators of compromise in this Storm-2561 campaign, highlighting the social engineering techniques that the threat actor used to improve perceived legitimacy, avoid suspicion, and evade detection. We also share protection and mitigation recommendations, as well as Microsoft Defender detection and hunting guidance.

From search to stolen credentials: Storm-2561 attack chain

In this campaign, users searching for legitimate VPN software are redirected from search results to spoofed websites that closely mimic trusted VPN products but instead deploy malware designed to harvest credentials and VPN data. When users click to download the software, they are redirected to a malicious GitHub repository (no longer available) that hosts the fake VPN client for direct download.

The GitHub repo hosts a ZIP file containing a Microsoft Windows Installer (MSI) installer file that mimics a legitimate VPN software and side-loads malicious dynamic link library (DLL) files during installation. The fake VPN software enables credential collection and exfiltration while appearing like a benign VPN client application.

This campaign exhibits characteristics consistent with financially motivated cybercrime operations employed by Storm-2561. The malicious components are digitally signed by “Taiyuan Lihua Near Information Technology Co., Ltd.”

Initial access and execution

The initial access vector relies on abusing SEO to push malicious websites to the top of search results for queries such as “Pulse VPN download” or “Pulse Secure client,” but Microsoft has observed spoofing of various VPN software brands and has observed the GitHub link at the following two domains: vpn-fortinet[.]com and ivanti-vpn[.]org.

Once the user lands on the malicious website and clicks to download the software, the malware is delivered through a ZIP download hosted at hxxps[:]//github[.]com/latestver/vpn/releases/download/vpn-client2/VPN-CLIENT.zip. At the time of this report, this repository is no longer active.

When the user launches the malicious MSI masquerading as a legitimate Pulse Secure VPN installer embedded within the downloaded ZIP file, the MSI file installs Pulse.exe along with malicious DLL files to a directory structure that closely resembles a real Pulse Secure installation path: %CommonFiles%\Pulse Secure. This installation path blends in with legitimate VPN software to appear trustworthy and avoid raising user suspicion.

Alongside the primary application, the installer drops malicious DLLs, dwmapi.dll and inspector.dll, into the Pulse Secure directory. The dwmapi.dll file is an in-memory loader that drops and launches an embedded shellcode payload that loads and launches the inspector.dll file, a variant of the infostealer Hyrax. The Hyrax infostealer extracts URI and VPN sign-in credentials before exfiltrating them to attacker-controlled command-and-control (C2) infrastructure.

Code signing abuse

The MSI file and the malicious DLLs are signed with a valid digital certificate, which is now revoked, from Taiyuan Lihua Near Information Technology Co., Ltd. This abuse of code signing serves multiple purposes:

• Bypasses default Windows security warnings for unsigned code
• Might bypass application whitelisting policies that trust signed binaries
• Reduces security tool alerts focused on unsigned malware
• Provides false legitimacy to the installation process

Microsoft identified several other files signed with the same certificates. These files also masqueraded as VPN software. These IOCs are included in the below.

Credential theft

The fake VPN client presents a graphical user interface that closely mimics the legitimate VPN client, prompting the user to enter their credentials. Rather than establishing a VPN connection, the application captures the credentials entered and exfiltrates them to attacker-controlled C2 infrastructure (194.76.226[.]93:8080). This approach relies on visual deception and immediate user interaction, allowing attackers to harvest credentials as soon as the target attempts to sign in. The credential theft operation follows the below structured sequence:

• UI presentation: A fake VPN sign-in dialog is displayed to the user, closely resembling the legitimate Pulse Secure client.
• Error display: After credentials are submitted, a fake error message is shown to the user.
• Redirection: The user is instructed to download and install the legitimate Pulse Secure VPN client.
• Access to stored VPN data: The inspector.dll component accesses stored VPN configuration data from C:\ProgramData\Pulse Secure\ConnectionStore\connectionstore.dat.
• Data exfiltration: Stolen credentials and VPN configuration data are transmitted to attacker-controlled infrastructure.

Persistence

To maintain access, the MSI malware establishes persistence during installation through the Windows RunOnce registry key, adding the Pulse.exe malware to run when the device reboots.

Defense evasion

One of the most sophisticated aspects of this campaign is the post-credential theft redirection strategy. After successfully capturing user credentials, the malicious application conducts the following actions:

• Displays a convincing error message indicating installation failure
• Provides instructions to download the legitimate Pulse VPN client from official sources
• In certain instances, opens the user’s browser to the legitimate VPN website

If users successfully install and use legitimate VPN software afterward, and the VPN connection works as expected, there are no indications of compromise to the end user. Users are likely to attribute the initial installation failure to technical issues, not malware.

Defending against credential theft campaigns

Microsoft recommends the following mitigations to reduce the impact of this threat.

• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants. 
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. 
• Enable network protection in Microsoft Defender for Endpoint. 
• Turn on web protection in Microsoft Defender for Endpoint. 
• Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. 
• Enforce multifactor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA from all devices, in all locations, at all times. 
• Remind employees that enterprise or workplace credentials should not be stored in browsers or password vaults secured with personal credentials. Organizations can turn off password syncing in browser on managed devices using Group Policy. 
• Turn on the following attack surface reduction rule to block or audit activity associated with this threat:
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion 

Microsoft Defender detection and hunting guidance

Microsoft Defender customers can refer to the list of applicable detections below. Microsoft Defender coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Microsoft Security Copilot

Microsoft Security Copilot is embedded in Microsoft Defender and provides security teams with AI-powered capabilities to summarize incidents, analyze files and scripts, summarize identities, use guided responses, and generate device summaries, hunting queries, and incident reports.

Customers can also deploy AI agents, including the following Microsoft Security Copilot agents, to perform security tasks efficiently:

• Threat Intelligence Briefing agent
• Phishing Triage agent
• Threat Hunting agent
• Dynamic Threat Detection agent

Security Copilot is also available as a standalone experience where customers can perform specific security-related tasks, such as incident investigation, user analysis, and vulnerability impact assessment. In addition, Security Copilot offers developer scenarios that allow customers to build, test, publish, and integrate AI agents and plugins to meet unique security needs.

Threat intelligence reports

Microsoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

• Actor Profile: Storm-2561
• Activity Profile: Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries

Microsoft Defender XDR customers can run the following advanced hunting queries to find related activity in their networks:

Files signed by Taiyuan Lihua Near Information Technology Co., Ltd.

Look for files signed with Taiyuan Lihua Near Information Technology Co., Ltd. signer.

let a = DeviceFileCertificateInfo
| where Signer == "Taiyuan Lihua Near Information Technology Co., Ltd."
| distinct SHA1;
DeviceProcessEvents
| where SHA1 in(a)

Identify suspicious DLLs in Pulse Secure folder

Identify launching of malicious DLL files in folders masquerading as Pulse Secure.

DeviceImageLoadEvents
| where FolderPath contains "Pulse Secure" and FolderPath contains "Program Files" and (FolderPath contains "\\JUNS\\" or FolderPath contains "\\JAMUI\\")
| where FileName has_any("inspector.dll","dwmapi.dll")

Indicators of compromise

References

• SEO Poisoning Targets Ivanti VPN: Credential Theft Alert (Zscaler)
• Storm-2561 distributes trojanized SonicWall NetExtender SilentRoute (Microsoft)
• A Sting on Bing: Bumblebee delivered through Bing SEO poisoning campaign (Cyjax)

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

The post Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft appeared first on Microsoft Security Blog.

In today’s evolving cyber threat landscape, threat actors are committed to advancing the sophistication of their attacks. The increasing adoption of essential security features like multifactor authentication (MFA), passwordless solutions, and robust email protections has changed many aspects of the phishing landscape, and threat actors are more motivated than ever to acquire credentials—particularly for enterprise cloud environments. Despite these evolutions, social engineering—the technique of convincing or deceiving users into downloading malware, directly divulging credentials, or more—remains a key aspect of phishing attacks.

Implementing phishing-resistant and passwordless solutions, such as passkeys, can help organizations improve their security stance against advanced phishing attacks. Microsoft is dedicated to enhancing protections against phishing attacks and making it more challenging for threat actors to exploit human vulnerabilities. In this blog, I’ll cover techniques that Microsoft has observed threat actors use for phishing and social engineering attacks that aim to compromise cloud identities. I’ll also share what organizations can do to defend themselves against this constant threat.

While the examples in this blog do not represent the full range of phishing and social engineering attacks being leveraged against enterprises today, they demonstrate several efficient techniques of threat actors tracked by Microsoft Threat Intelligence. Understanding these techniques and hardening your organization with the guidance included here will help contribute to a significant part of your defense-in-depth approach.

Pre-compromise techniques for stealing identities

Modern phishing techniques attempt to defeat authentication flows

Adversary-in-the-middle (AiTM)

Today’s authentication methods have changed the phishing landscape. The most prevalent example is the increase in adversary-in-the-middle (AiTM) credential phishing as the adoption of MFA grows. The phish kits available from phishing-as-a-service (PhaaS) platforms has further increased the impact of AiTM threats; the Evilginx phish kit, for example, has been used by multiple threat actors in the past year, from the prolific phishing operator Storm-0485 to the Russian espionage actor Star Blizzard.

Evilginx is an open-source framework that provides AiTM capabilities by deploying a proxy server between a target user and the website that the user wishes to visit (which the threat actor impersonates). Microsoft tracked Storm-0485 directing targets to Evilginx infrastructure using lures with themes such as payment remittance, shared documents, and fake LinkedIn account verifications, all designed to prompt a quick response from the recipient. Storm-0485 also consistently uses evasion tactics, notably passing initial links through obfuscated Google Accelerated Mobile Pages (AMP) URLs to make links harder to identify as malicious.

To protect against AiTM attacks, consider complementing MFA with risk-based Conditional Access policies, available in Microsoft Entra ID Protection, where sign-in requests are evaluated using additional identity-driven signals like IP address location information or device status, among others. These policies use real-time and offline detections to assess the risk level of sign-in attempts and user activities. This dynamic evaluation helps mitigate risks associated with token replay and session hijacking attempts common in AiTM phishing campaigns.

Additionally, consider implementing Zero Trust network security solutions, such as Global Secure Access which provides a unified pane of glass for secure access management of networks, identities, and endpoints.

Device code phishing

Device code phishing is a relatively new technique that has been incorporated by multiple threat actors into their attacks. In device code phishing, threat actors like Storm-2372 exploit the device code authentication flow to capture authentication tokens, which they then use to access target accounts. Storm-1249, a China-based espionage actor, typically uses generic phishing lures—with topics like taxes, civil service, and even book pre-orders—to target high-level officials at organizations of interest. Microsoft has also observed device code phishing being used for post-compromise activity, which are discussed more in the next sections.

At Microsoft, we strongly encourage organizations to block device code flow where possible; if needed, configure Microsoft Entra ID’s device code flow in your Conditional Access policies.

OAuth consent phishing

Another modern phishing technique is OAuth consent phishing, where threat actors employ the Open Authorization (OAuth) protocol and send emails with a malicious consent link for a third-party application. Once the target clicks the link and authorizes the application, the threat actor gains access tokens with the requested scopes and refresh tokens for persistent access to the compromised account. In one OAuth consent phishing campaign recently identified by Microsoft, even if a user declines the requested app permissions (by clicking Cancel on the prompt), the user is still sent to the app’s reply URL, and from there redirected to an AiTM domain for a second phishing attempt.

You can prevent employees from providing consent to specific apps or categories of apps that are not approved by your organization by configuring app consent policies to restrict user consent operations. For example, configure policies to allow user consent only to apps requesting low-risk permissions with verified publishers, or apps registered within your tenant.

Device join phishing

Finally, it’s worth highlighting recent device join phishing operations, where threat actors use a phishing link to trick targets into authorizing the domain-join of an actor-controlled device. Since April 2025, Microsoft has observed suspected Russian-linked threat actors using third-party application messages or emails referencing upcoming meeting invitations to deliver a malicious link containing valid authorization code. When clicked, the link returns a token for the Device Registration Service, allowing registration of the threat actor’s device to the tenant. You can harden against this type of phishing attack by requiring authentication strength for device registration in your environment.

Lures remain an effective phishing weapon

While both end users and automated security measures have become more capable at identifying malicious phishing attachments and links, motivated threat actors continue to rely on exploiting human behavior with convincing lures. As these attacks hinge on deceiving users, user training and awareness of commonly identified social engineering techniques are key to defending against them.

Impersonation lures

One of the most effective ways Microsoft has observed threat actors deliver lures is by impersonating people familiar to the target or using malicious infrastructure spoofing legitimate enterprise resources. In the last year, Star Blizzard has shifted from primarily using weaponized document attachments in emails to spear phishing with a malicious link leading to an AiTM page to target the government, non-governmental organizations (NGO), and academic sectors. The threat actor’s highly personalized emails impersonate individuals from whom the target would reasonably expect to receive emails, including known political and diplomatic figures, making the target more likely to be deceived by the phishing attempt.

QR codes

We have seen threat actors regularly iterating on the types of lure links incorporated into their attacks to make social engineering more effective. As QR codes have become a ubiquitous feature in communications, threat actors have adopted their use as well. For example, over the past two years, Microsoft has seen multiple actors incorporate QR codes, encoded with links to AiTM phishing pages, into opportunistic tax-themed phishing campaigns.

The threat actor Star Blizzard has even leveraged nonfunctional QR codes as a part of a spear-phishing campaign offering target users an opportunity to join a WhatsApp group: the initial spear-phishing email contained a broken QR code to encourage the targeted users to contact the threat actor. Star Blizzard’s follow-on email included a URL that redirected to a webpage with a legitimate QR code, used by WhatsApp for linking a device to a user’s account, giving the actor access to the user’s WhatsApp account.

Use of AI

Threat actors are increasingly leveraging AI to enhance the quality and volume of phishing lures. As AI tools become more accessible, these actors are using them to craft more convincing and sophisticated lures. In a collaboration with OpenAI, Microsoft Threat Intelligence has seen threat actors such as Emerald Sleet and Crimson Sandstorm interacting with large language models (LLMs) to support social engineering operations. This includes activities such as drafting phishing emails and generating content likely intended for spear-phishing campaigns.

We have also seen suspected use of generative AI to craft messages in a large-scale credential phishing campaign against the hospitality industry, based on the variations of language used across identified samples. The initial email contains a request for information designed to elicit a response from the target and is then followed by a more generic phishing email containing a lure link to an AiTM phishing site.

AI helps eliminate the common grammar mistakes and awkward phrasing that once made phishing attempts easier to spot. As a result, today’s phishing lures are more polished and harder for users to detect, increasing the likelihood of successful compromise. This evolution underscores the importance of securing identities in addition to user awareness training.

Phishing risks continue to expand beyond email

Enterprise communication methods have diversified to support distributed workforce and business operations, so phishing has expanded well beyond email messages. Microsoft has seen multiple threat actors abusing enterprise communication applications to deliver phishing messages, and we’ve also observed continued interest by threat actors to leverage non-enterprise applications and social media sites to reach targets.

Teams phishing

Microsoft Threat Intelligence has been closely tracking and responding to the abuse of the Microsoft Teams platform in phishing attacks and has taken action against confirmed malicious tenants by blocking their ability to send messages. The cybercrime access broker Storm-1674, for example, creates fraudulent tenants to create Teams meetings to send chat messages to potential victims using the meeting’s chat functionality; more recently, since November 2024, the threat actor has started compromising tenants and directly calling users over Teams to phish for credentials as well. Businesses can follow our security best practices for Microsoft Teams to further defend against attacks from external tenants.

Leveraging social media

Outside of business-managed applications, employees’ activity on social media sites and third-party communication platforms has widened the digital footprint for phishing attacks. For instance, while the Iranian threat actor Mint Sandstorm primarily uses spear-phishing emails, they have also sent phishing links to targets on social media sites, including Facebook and LinkedIn, to target high-profile individuals in government and politics. Mint Sandstorm, like many threat actors, also customizes and enhances their phishing messages by gathering publicly available information, such as personal email addresses and contacts, of their targets on social media platforms. Global Secure Access (GSA) is one solution that can reduce this type of phishing activity and manage access to social media sites on company-owned devices.

Post-compromise identity attacks

In addition to using phishing techniques for initial access, in some cases threat actors leverage the identity acquired from their first-stage phishing attack to launch subsequent phishing attacks. These follow-on phishing activities enable threat actors to move laterally within an organization, maintain persistence across multiple identities, and potentially acquire access to a more privileged account or to a third-party organization.

You can harden your environment against internal phishing activity by configuring the Microsoft Defender for Office 365 Safe Links policy to apply to internal recipients as well as by educating users to be wary of unsolicited documents and to report suspected phishing messages.

AiTM phishing crafted using legitimate company resources

Storm-0539, a threat actor that persistently targets the retail industry for gift card fraud, uses their initial access to a compromised identity to acquire legitimate emails—such as help desk tickets—that serve as templates for phishing emails. The crafted emails contain links directing users to AiTM phishing pages that mimic the federated identity service provider of the compromised organization. Because the emails resemble the organization’s legitimate messages, lead to convincing AiTM landing pages, and are sent from an internal account, they could be highly convincing. In this way, Storm-0539 moves laterally, seeking an identity with access to key cloud resources.

Intra-organization device code phishing

In addition to their use of device code phishing for initial access, Storm-2372 also leverages this technique in their lateral movement operations. The threat actor uses compromised accounts to send out internal emails with subjects such as “Document to review” and containing a device code authentication phishing payload. Because of the way device code authentication works, the payloads only work for 15 minutes, so Microsoft has seen multiple waves of post-compromise phishing attacks as the threat actor searches for additional credentials.

Defending against credential phishing and social engineering

Defending against phishing attacks begins at the primary gateways: email and other communication platforms. Review our recommended settings for Exchange Online Protection and Microsoft Defender for Office 365, or the equivalent for your email security solution, to ensure your organization has established essential defenses and knows how to monitor and respond to threat activity.

A holistic security posture for phishing must also account for the human aspect of social engineering. Investing in user awareness training and phishing simulations is critical for arming employees with the needed knowledge to defend against tried-and-true social engineering methods. Training can also help when threat actors inevitably refine and improve their techniques. Attack simulation training in Microsoft Defender for Office 365, which also includes simulating phishing messages in Microsoft Teams, is one approach to running realistic attack scenarios in your organization.

Hardening credentials and cloud identities is also necessary to defend against phishing attacks. By implementing the principles of least privilege and Zero Trust, you can significantly slow down determined threat actors who may have been able to gain initial access and buy time for defenders to respond. To get started, follow our steps to configure Microsoft Entra with increased security.

As part of hardening cloud identities, authentication using passwordless solutions like passkeys is essential, and implementing MFA remains a core pillar in identity security. Use the Microsoft Authenticator app for passkeys and MFA, and complement MFA with conditional access policies, where sign-in requests are evaluated using additional identity-driven signals. Conditional access policies can also be scoped to strengthen privileged accounts with phishing resistant MFA. Your passkey and MFA policy can be further secured by only allowing MFA and passkey registrations from trusted locations and devices.

Finally, a Security Service Edge solution like Global Secure Access (GSA) provides identity-focused secure network access. GSA can help to secure access to any app or resource using network, identity, and endpoint access controls.

Among Microsoft Incident Response cases over the past year where we identified the initial access vector, almost a quarter incorporated phishing or social engineering. To achieve phishing resistance and limit the opportunity to exploit human behavior, begin planning for passkey rollouts in your organization today, and  at a minimum, prioritize phishing-resistant MFA for privileged accounts as you evaluate the effect of this security measure on your wider organization. In the meantime, use the other defense-in-depth approaches I’ve recommended in this blog to defend against phishing and social engineering attacks.

Stay vigilant and prioritize your security at every step.

Recommendations

Several recommendations were made throughout this blog to address some of the specific techniques being used by threat actors tracked by Microsoft, along with essential practices for securing identities. Here is a consolidated list for your security team to evaluate.

• Configure Microsoft Entra with increased security.
• Use the Microsoft Authenticator app for passkeys and MFA.
• Strengthen privileged accounts with phishing resistant MFA.
• Complement MFA with risk-based Conditional Access policies, where sign-in requests are evaluated using additional identity-driven signals like IP address location information or device status, among others. Implementing Microsoft Entra ID Protection with these policies can automatically block or challenge access based on indicators like unfamiliar sign-in patterns or potential token theft attempts. When combined with Global Secure Access (GSA), organizations can extend this protection by enforcing Conditional Access decisions at the network layer to help secure access to any app or resource.
• Only allowing MFA and passkey registrations from trusted locations and devices.
• Review our recommended settings for Exchange Online Protection and Microsoft Defender for Office 365.
• Use attack simulation training in Microsoft Defender for Office 365, which also includes simulating phishing messages in Microsoft Teams, to run realistic attack scenarios in your organization for educating users.
• Use Global Secure Access to secure access to any app or resource using network, identity, and endpoint access controls.
• Block device code flow where possible; if needed, configure Microsoft Entra ID’s device code flow in your Conditional Access policies.
• Configure app consent policies to restrict user consent operations. For example, configure policies to allow user consent only to apps requesting low-risk permissions with verified publishers, or apps registered within your tenant.
• Require authentication strength for device registration in your environment.
• Follow our security best practices for Microsoft Teams.
• Configure the Microsoft Defender for Office 365 Safe Links policy to apply to internal recipients.

At Microsoft, we are accelerating security with our work on the Secure by Default framework. Specific Microsoft-managed policies are enabled for every new tenant and raise your security posture with security defaults that provide a baseline of protection for Entra ID and resources like Office 365.

Learn more  

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog. 

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky. 

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast. 

The post Defending against evolving identity attack techniques appeared first on Microsoft Security Blog.

Lumma Stealer (also known as LummaC2) is a malware as a service (MaaS) offering that is capable of stealing data from various browsers and applications such as cryptocurrency wallets and installing other malware. Microsoft Threat Intelligence tracks the threat actor who developed and maintains the Lumma malware, command-and-control (C2) infrastructure, and the Lumma MaaS as Storm-2477. Affiliates who pay Storm-2477 for the service and operate their own Lumma campaigns access a panel to build the malware binary and manage the C2 communications and stolen information. We have observed ransomware threat actors like Octo Tempest, Storm-1607, Storm-1113, and Storm-1674 using Lumma Stealer in campaigns.

Unlike earlier infostealers that relied heavily on bulk spam or exploits, Lumma Stealer exemplifies a shift toward multi-vector delivery strategies. Its operators demonstrate resourcefulness and proficiency in impersonation tactics. The Lumma Stealer distribution infrastructure is flexible and adaptable. Operators continually refine their techniques, rotating malicious domains, exploiting ad networks, and leveraging legitimate cloud services to evade detection and maintain operational continuity. This dynamic structure enables operators to maximize the success of campaigns while complicating efforts to trace or dismantle their activities.

The growth and resilience of Lumma Stealer highlights the broader evolution of cybercrime and underscores the need for layered defenses and industry collaboration to counter threats. In this blog post, we share our analysis of Lumma Stealer and its infrastructure and provide guidance on how users and organizations can protect themselves from this threat. Microsoft remains committed to sharing insights, developing protections, and working with partners across industries to disrupt malicious ecosystems and safeguard users worldwide.

Lumma Stealer delivery techniques

Lumma Stealer leverages a broad and evolving set of delivery vectors. Campaigns often combine multiple techniques, dynamically adapting to evade detection and increase infection success rates. Delivery infrastructure is designed to be ephemeral, shifting rapidly across domains, platforms, and geographies to avoid takedowns.

• Phishing emails: Lumma Stealer emails impersonate known brands and services to deliver links or attachments. These campaigns involve expertly crafted emails designed to evoke urgency, often masquerading as urgent hotel reservation confirmations or pending cancellations. The emails lead victims to cloned websites or malicious servers that deploy the Lumma payload to the targets’ environment.

• Malvertising: Threat actors inject fake advertisements into search engine results, targeting software-related queries such as “Notepad++ download” or “Chrome update.” Clicking these poisoned links leads users to cloned websites that closely mimic legitimate vendors but instead deliver the Lumma Stealer.
• Drive-by download on compromised websites: Threat actors were observed compromising groups of legitimate websites, typically through a particular vulnerability or misconfiguration. They modify site content by inserting malicious JavaScript. The JavaScript runs when sites are visited by unsuspecting users, leading to delivery of a payload, intermediary script, or displaying further lures to convince users to perform an action.
• Trojanized applications: In many campaigns, cracked or pirated versions of legitimate applications are bundled with Lumma binaries and distributed through file-sharing platforms. These modified installers often contain no visible payload during installation, executing the malware silently post-launch.
• Abuse of legitimate services and ClickFix: Public repositories like GitHub are abused and populated with scripts and binaries, often disguised as tools or utilities. A particularly deceptive method involves fake CAPTCHA pages, commonly observed in the ClickFix ecosystem. Targets are instructed to copy malicious commands into their system’s Run utility under the pretense of passing a verification check. These commands often download and execute Lumma directly in memory, using Base64 encoding and stealthy delivery chains.
• Dropped by other malware: Microsoft Threat Intelligence observed other loaders and malware such as DanaBot delivering Lumma Stealer as an additional payload.

All these mechanisms reflect threat actor behavior that prioritizes abuse of user trust, manipulation of legitimate infrastructure, and multi-layered distribution chains designed to evade both technical and human defenses. The following sections discuss some examples of campaigns where the mentioned distribution methods were used to deliver Lumma Stealer.

Drive-by download campaign leveraging EtherHiding and ClickFix to deliver Lumma

In early April 2025, Microsoft observed a cluster of compromised websites leveraging EtherHiding and ClickFix techniques to install Lumma Stealer. EtherHiding is a technique that involves leveraging smart contracts on blockchain platforms like Binance Smart Chain (BSC) to host parts of malicious code. Traditional methods of blocking malicious code, such as IP or domain blocking or content-based detections, are less effective against EtherHiding because the code is embedded in the blockchain. Meanwhile, in the ClickFix technique, a threat actor attempts to take advantage of human problem-solving tendencies by displaying fake error messages or prompts that instruct target users to fix issues by copying, pasting, and launching commands that eventually result in the download of malware.

In this campaign, the JavaScript injected into compromised websites directly contacted BSC to retrieve the ClickFix code and lure, which was then presented to the target. Users needed to click the “I’m not a robot” prompt, at which point a command was copied into their clipboard. Users were then instructed to paste and launch this command via the Windows Run prompt. The command downloaded and initiated further code using mshta from check.foquh[.]icu.

Email campaign targeting organizations in Canada to deliver Lumma Stealer

On April 7, 2025, Microsoft Threat Intelligence observed an email campaign consisting of thousands of emails targeting organizations in Canada. The emails used invoice lures for a fitness plan or an online education platform. The emails’ subject lines were personalized to include recipient-specific details such as “Invoice for [recipient email]”. Notably, the attack chain utilized multiple tools available for purchase on underground forums for traffic filtering and social engineering.

The emails contained URLs leading to the Prometheus traffic direction system (TDS) hosted on numerous compromised sites. The TDS in turn, redirected users to the attacker-controlled website binadata[.]com that hosted the ClickFix social engineering framework. Like the previous campaign, targets were instructed to click a “I’m not a robot” prompt and run malicious code via a multi-step process. The malicious code was an mshta command that downloaded and executed JavaScript from the IP address 185.147.125[.]174. The JavaScript ran a PowerShell command that downloaded more PowerShell code, which finally downloaded and launched a Lumma Stealer executable. Notably, Xworm malware was also bundled into this executable.

Lumma Stealer malware analysis

The core Lumma Stealer malware is written in a combination of C++ and ASM. The malware author designed it as a MaaS offering. Threat actors can access the panel to build the malware binary and manage the C2 communications and stolen information. The core binary is obfuscated with advanced protection such as low-level virtual machine (LLVM core), Control Flow Flattening (CFF), Control Flow Obfuscation, customized stack decryption, huge stack variables, and dead codes, among others. These techniques are implemented on the critical functions to make static analysis difficult, as these can cause tools like Hex-Rays’ IDA fail to produce equivalent decompiled codes. In addition, most of the critical APIs are implemented via low-level syscalls and Heavens Gate Technology.

Lumma Stealer is designed to steal from browsers based on Chromium and Mozilla technology, including Microsoft Edge. In addition, it has the capability to install other malware or plugins, including Clipboard stealer plugin and coin miners, either by downloading to disk or directly in memory.

Process injection and process hollowing

Lumma loader may use process hollowing to inject its malicious payload into legitimate system processes like msbuild.exe, regasm.exe, regsvcs.exe, and explorer.exe. This technique enables execution under the guise of a trusted binary to bypass behavioral detection and endpoint monitoring tools.

Information-stealing capabilities

Lumma Stealer targets a comprehensive set of user data using a specialized collection routine for each type of data. These capabilities have evolved over time, and Microsoft Threat Intelligence has recently observed that the instructions for the target credentials are specified in the configuration file retrieved from the active C2 server. The configuration file is divided into several parts: the “ex” section that pertains to the target list of apps for cryptocurrency wallets and extensions, and “c” sections that pertain to the list of applications and configuration details for browsers, user file’s locations, and other applications.

• Browser credentials and cookies: Lumma Stealer extracts saved passwords, session cookies, and autofill data from Chromium (including Edge), Mozilla, and Gecko-based browsers.
• Cryptocurrency wallets and extensions: Lumma Stealer actively searches for wallet files, browser extensions, and local keys associated with wallets like MetaMask, Electrum, and Exodus.
• Various applications: Lumma Stealer targets data from various virtual private networks (VPNs) (.ovpn), email clients, FTP clients, and Telegram applications.  
• User documents: Lumma Stealer harvests files found on the user profiles and other common directories, especially those with .pdf, .docx, or .rtf extensions.
• System metadata: Lumma Stealer collects host telemetry such as CPU information, OS version, system locale, and installed applications for tailoring future exploits or profiling victims.

C2 communication

Lumma Stealer maintains a robust C2 infrastructure, using a combination of hardcoded tier 1 C2s that are regularly updated and reordered, and fallback C2s hosted as Steam profiles and Telegram channels that also point to the tier 1 C2s. The Telegram C2, if available, is always checked first, while the Steam C2 is checked only when all the hardcoded C2s are not active. To further hide the real C2 servers, all the C2 servers are hidden behind the Cloudflare proxy.

While Lumma Stealer affiliates share the tier 1 C2s, there is a capability to add a personal tier 1 C2 domain for an extra cost. The diagram below shows an overview of the Lumma Stealer infrastructure. All traffic is encrypted by HTTPS.

Different types of obfuscation are applied to each set of C2 servers. For example, the hardcoded list of C2s, and including the Telegram fallback C2 URL are protected with ChaCha20 crypto, while the Steam profile fallback C2 URL is encrypted using custom stack-based crypto algorithm that can change on each version of Lumma malware.

We have identified up to six versions of Lumma Stealer, and while each of these versions focuses on improving techniques to evade antivirus detections, there are also several changes in the C2 communication protocol and formats such as the C2 domains, URI path, POST data, and others. The core Lumma malware stores the build date as part of the embedded configuration to keep track of improvements, but in our investigation, we tracked major changes using the labels “version 1” through “version 6”.

Lumma Stealer keeps track of the active C2 for sending the succeeding commands. Each command is sent to a single C2 domain that is active at that point. In addition, each C2 command contains one or more C2 parameters specified as part of the POST data as form data. The parameters are:  

• act: Indicates the C2 command. Note: This C2 parameter no longer exists in Lumma version 6.
• ver: Indicates C2 protocol version. This value is always set to 4.0 and has never changed since the first version Lumma.
• lid (for version 5 and below)/uid (for version 6): This ID identifies the Lumma client/operator and its campaign.
• j (for version 5 and below )/cid (for version 6): This is an optional field that identifies additional Lumma features.
• hwid: Indicates the unique identifier for the victim machine.
• pid: Used in SEND_MESSAGE command to identify the source of the stolen data. A value of 1, indicates it came from the Lumma core process.

The following are some of the most common Lumma Stealer C2 commands and associated parameters:

• PING / LIFE: Initial command to check if the C2 is active. Note: This command does not exist in version 6.
  • act=life
• RECEIVE_MESSAGE: Command to download the stealer’s configuration. As noted above, this contains the specifications on the list of targets.
  • version 3 and below: act=recive_message&ver=4.0&lid=[<lid_value>]&j=[<j_value>]
  • version 4 and 5: act=receive_message&ver=4.0&lid=[<lid_value>]&j=[<j_value>]
  • version 6: uid=<uid_value>&cid=[<cid_value>]
• SEND_MESSAGE: Command to send back stolen data in chunks. The C2 parameters are specified as individual section in the whole POST data. The fields included are act=send_message, hwid, pid, lid/uid, and j/cid. The act field was removed in version 6.
• GET_MESSAGE: Command to download the second configuration. This configuration contains information about the plugins and additional malware to install on the target systems. We have observed that in most cases this command will respond with valid but empty records “[]”, meaning nothing to download. So far, we have observed Lumma Stealer installing an updated version of the Clipboard stealer plugin and coin miners.
  • versions 5 and below: act=get_message&ver=4.0&lid=[<lid_value>]&j=[<j_value>]&hwid=<hwid_value>
  • version 6: uid=<uid_value>&cid=[<cid_value>]&hwid=<hwid_value>

Microsoft Digital Crimes Unit (DCU) engineered tools that identify and map the Lumma Stealer C2 infrastructure. As part of the disruption announced on May 21, Microsoft’s DCU has facilitated the takedown, suspension, and blocking of approximately 2,300 malicious domains that formed the backbone of the Lumma Stealer infrastructure.  More details of this operation are presented in the DCU disruption announcement.

Recommendations

Microsoft Threat Intelligence recommends the following mitigations to reduce the impact of this threat.

Strengthen Microsoft Defender for Endpoint configuration

• Ensure that tamper protection is enabled in Microsoft Defender for Endpoint.
• Enable network protection in Microsoft Defender for Endpoint.
• Turn on web protection.
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.    
• Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume. 
• Microsoft Defender XDR customers can turn on the following attack surface reduction rules to prevent common attack techniques used by threat actors.
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion
  • Block execution of potentially obfuscated scripts
  • Block JavaScript or VBScript from launching downloaded executable content
  • Block process creations originating from PSExec and WMI commands
  • Block credential stealing from the Windows local security authority subsystem
  • Block use of copied or impersonated system tools

Strengthen operating environment configuration

• Require multifactor authentication (MFA). While certain attacks such as adversary-in-the-middle (AiTM) phishing attempt to circumvent MFA, implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats.
• Leverage phishing-resistant authentication methods such as FIDO Tokens, or Microsoft Authenticator with passkey. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.
• Implement Entra ID Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
• Encourage users to use Microsoft Edge with Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
• Enable Network Level Authentication for Remote Desktop Service connections.
• Enable Local Security Authority (LSA) protection to block credential stealing from the Windows local security authority subsystem.
• AppLocker can restrict specific software tools prohibited within the organization, such as reconnaissance, fingerprinting, and RMM tools, or grant access to only specific users.

Detection details

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects this threat as the following malware:

• Behavior:Win32/LummaStealer
• Trojan:JS/LummaStealer
• Trojan:MSIL/LummaStealer
• Trojan:Win32/LummaStealer
• Trojan:Win64/LummaStealer
• TrojanDropper:Win32/LummaStealer
• Trojan:PowerShell/Powdow
• Trojan:Win64/Shaolaod
• Behavior:Win64/Shaolaod
• Behavior:Win32/MaleficAms
• Behavior:Win32/ClickFix
• Behavior:Win32/SuspClickFix
• Trojan:Win32/ClickFix
• Trojan:PowerShell/ClickFixObfus
• Behavior:Win32/RegRunMRU
• Trojan:HTML/FakeCaptcha
• Trojan:Script/SuspDown

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity:

• Suspicious command in RunMRU registry
• Possible Lumma Stealer activity
• Information stealing malware activity
• Suspicious PowerShell command line
• Use of living-off-the-land binary to run malicious code
• Possible theft of passwords and other sensitive web browser information
• Suspicious DPAPI Activity
• Suspicious mshta process launched
• Renamed AutoIt tool
• Suspicious phishing activity detected
• Suspicious implant process from a known emerging threat
• A process was injected with potentially malicious code
• Process hollowing detected
• Suspicious PowerShell download or encoded command execution
• A process was launched on a hidden desktop

Microsoft Defender for Office 365

Microsoft Defender for Office 365 identifies and blocks malicious emails. These alerts, however, can also be triggered by unrelated threat activity:

• A potentially malicious URL click was detected
• Email messages containing malicious URL removed after delivery
• Email messages removed after delivery
• A user clicked through to a potentially malicious URL
• Suspicious email sending patterns detected
• Email reported by user as malware or phish

Defender for Office 365 also detects and blocks Prometheus TDS, EtherHiding patterns, ClickFix landing pages.

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• Storm-1865 phishing campaigns over vendor platforms lead to payment data theft and fraudulent charges
• Lumma Stealer
• Malvertising campaign leads to info stealers hosted on GitHub
• ClickFix technique leverages clipboard to run malicious commands

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

ClickFix commands execution

Identify ClickFix commands execution.

DeviceRegistryEvents
| where ActionType =~ "RegistryValueSet"
| where InitiatingProcessFileName =~ "explorer.exe"
| where RegistryKey has @"\CurrentVersion\Explorer\RunMRU"
| where RegistryValueData has "✅"
        or (RegistryValueData has_any ("powershell", "mshta", "curl", "msiexec", "^")
             and RegistryValueData matches regex "[\u0400-\u04FF\u0370-\u03FF\u0590-\u05FF\u0600-\u06FF\u0E00-\u0E7F\u2C80-\u2CFF\u13A0-\u13FF\u0530-\u058F\u10A0-\u10FF\u0900-\u097F]")
        or (RegistryValueData has "mshta" and RegistryValueName !~ "MRUList" and RegistryValueData !in~ ("mshta.exe\\1", "mshta\\1"))
        or (RegistryValueData has_any ("bitsadmin", "forfiles", "ProxyCommand=") and RegistryValueName !~ "MRUList")
        or ((RegistryValueData startswith "cmd" or RegistryValueData startswith "powershell")
            and (RegistryValueData has_any ("-W Hidden ", " -eC ", "curl", "E:jscript", "ssh", "Invoke-Expression", "UtcNow", "Floor", "DownloadString", "DownloadFile", "FromBase64String",  "System.IO.Compression", "System.IO.MemoryStream", "iex", "Invoke-WebRequest", "iwr", "Get-ADDomainController", "InstallProduct", "-w h", "-X POST", "Invoke-RestMethod", "-NoP -W", ".InVOKe", "-useb", "irm ", "^", "[char]", "[scriptblock]", "-UserAgent", "UseBasicParsing", ".Content")
              or RegistryValueData matches regex @"[-/–][Ee^]{1,2}[NnCcOoDdEeMmAa^]*\s[A-Za-z0-9+/=]{15,}"))

DPAPI decryption via AutoIT or .NET Framework processes

Identify DPAPI decryption activity originating from AutoIT scripts .NET Framework processes.

DeviceEvents
| where ActionType == "DpapiAccessed"
| where InitiatingProcessVersionInfoInternalFileName == "AutoIt3.exe"
      or InitiatingProcessFolderPath has "\\windows\\microsoft.net\\framework\\"
      or InitiatingProcessFileName =~ "powershell.exe"
| where (AdditionalFields has_any("Google Chrome", "Microsoft Edge") and AdditionalFields has_any("SPCryptUnprotect"))
| extend json = parse_json(AdditionalFields)
| extend dataDesp = tostring(json.DataDescription.PropertyValue)
| extend opType = tostring(json.OperationType.PropertyValue)
| where dataDesp in~ ("Google Chrome", "Microsoft Edge", "Chromium", "Opera", "Opera GX", "IMAP Password", "Brave Browser", "AVG Secure Browser") 
        and opType =~ "SPCryptUnprotect"
| project Timestamp, ReportId, DeviceId, ActionType, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, AdditionalFields, dataDesp, opType

Sensitive browser file access via AutoIT or .NET Framework processes

Identify .NET Framework processes (such as RegAsm.exe, MSBuild.exe, etc.) accessing sensitive browser files.

let browserDirs = pack_array(@"\Google\Chrome\User Data\", @"\Microsoft\Edge\User Data\", @"\Mozilla\Firefox\Profiles\");  
let browserSensitiveFiles = pack_array("Web Data", "Login Data", "key4.db", "formhistory.sqlite", "cookies.sqlite", "logins.json", "places.sqlite", "cert9.db"); 
DeviceEvents 
| where AdditionalFields has_any ("FileOpenSource") // Filter for "File Open" events. 
| where InitiatingProcessVersionInfoInternalFileName == "AutoIt3.exe" 
      or InitiatingProcessFolderPath has "\\windows\\microsoft.net\\framework\\" 
      or InitiatingProcessFileName =~ "powershell.exe" 
| where (AdditionalFields has_any(browserDirs) or  AdditionalFields has_any(browserSensitiveFiles))  
| extend json = parse_json(AdditionalFields) 
| extend File_Name = tostring(json.FileName.PropertyValue) 
| where (File_Name has_any (browserDirs) and File_Name has_any (browserSensitiveFiles)) 
| project Timestamp, ReportId, DeviceId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, File_Name

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, on X (formerly Twitter) at https://x.com/MsftSecIntel, and Bluesky at https://bsky.app/profile/threatintel.microsoft.com.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer appeared first on Microsoft Security Blog.

Node.js is an open-source, cross-platform JavaScript runtime environment that allows JavaScript code to run outside of a web browser. It’s widely used and trusted by developers because it lets them build frontend and backend applications. However, threat actors are also leveraging these Node.js characteristics to try to blend malware with legitimate applications, bypass conventional security controls, and persist in target environments.  

Among the most recent attacks we’ve observed leveraging Node.js include a malvertising campaign related to cryptocurrency trading that attempts to lure users into downloading a malicious installer disguised as legitimate software. The said campaign is still active as of April 2025. This blog provides details of its attack chain, along with an example of the emerging inline script execution technique. This blog also includes recommendations to help users and defenders reduce the impact of these attacks in their environments.

Malicious ads deliver compiled Node.js executables

Malvertising has been one of the most prevalent techniques in Node.js attacks we’ve observed in customer environments. Attackers use malvertising campaigns to lure targets to fraudulent websites, where the targets then unknowingly download a malicious installer disguised as legitimate software. These fake websites often take advantage of popular themes such as financial services, software updates, and trending applications.

In this campaign, the downloaded installer contains a malicious DLL that gathers system information and sets up a scheduled task for persistence. This sets the stage for its other techniques and activities, such as defense evasion, data collection, and payload delivery and execution.

Initial access and persistence

This campaign uses malicious ads with a cryptocurrency trading theme to lure the target user into visiting a website and downloading a malicious installer disguised as a legitimate file from cryptocurrency-trading platforms like Binance or TradingView. This installer is a Wix-built package containing a malicious CustomActions.dll. When launched, the installer loads the DLL, which then gathers basic system information through a Windows Management Instrumentation (WMI) query and creates a scheduled task to ensure persistence of a PowerShell command. Simultaneously, the DLL launches a decoy by opening an msedge_proxy window that displays a legitimate cryptocurrency trading website.

Defense evasion

The created scheduled task runs PowerShell commands designed to exclude both the PowerShell process and the current directory from being scanned by Microsoft Defender for Endpoint. This action prevents subsequent PowerShell executions from being flagged, allowing the attack to continue undisturbed.

Data collection and exfiltration

With the exclusions set, an obfuscated PowerShell command is then launched through scheduled tasks to continuously fetch and run scripts from remote URLs. These scripts gather detailed system information, including:

• Windows information: Registered owner, system root, installed software, email addresses
• BIOS information: Manufacturer, name, release date, version
• System information: Name, domain, manufacturer, model, domain membership, memory, logical processors, graphics processing units (GPUs), processors, network adapters
• Operating system information: Name, version, locale, user access control (UAC) settings, country, language, time zone, install date

All this information is structured into a nested hash table, converted into JSON format, and then sent using HTTP POST to the attacker’s command-and-control (C2) server.

Payload delivery

After the data collection activity, another PowerShell script is launched to perform the following actions:

• Download an archive file from the C2 and extract its contents, which typically include:
  • node.exe (Node.js runtime)
  • A JSC file (JavaScript compiled file)
  • Several supporting library files/modules
• Turn off proxy settings in the Windows registry
• Launch the JSC that starts the attack’s next stage

Payload execution

The Node.js executable launches the downloaded JSC file, which then performs the following routines:

• Load multiple library modules
• Establish network connections
• Add certificates to the device
• Read and possibly exfiltrate sensitive browser information

These routines might indicate follow-on malicious activities such as credential theft, evasion, or secondary payload execution, which are commonly observed in other malware campaigns leveraging Node.js.

Beyond executables: Inline script execution in Node.js

Another notable technique we’ve observed emerging from campaigns leveraging Node.js involves inline JavaScript execution. In this technique, malicious scripts are run directly through Node.js to facilitate the deployment of malware.

One observed instance of this method was through a ClickFix social engineering attack, which attempts to deceive users into executing a malicious PowerShell command. This command initiates the download and installation of multiple components, including the Node.js binary (node.exe) and additional required modules. Once all the files are in place, the PowerShell script uses the Node.js environment to execute a JavaScript code directly in the command, rather than running it from a file.

The JavaScript further conducts network discovery by executing commands to map the domain structure and identify high-value assets. It also disguises the command-and-control traffic as legitimate Cloudflare activity and gains persistence by modifying registry run keys.

Recommendations

Organizations can follow these recommendations to mitigate threats associated with Node.js misuse:                   

• Educate users. Warn them about the risks of downloading software from unverified sources. 
• Monitor Node.js execution. Flag unauthorized node.exe processes. 
• Enforce PowerShell logging. Turn on script block logging to track obfuscation. 
• Turn on endpoint protection. Ensure endpoint detection and response (EDR) or extended detection and response (XDR) solutions are actively monitoring script execution. 
• Restrict outbound C2 communications. Implement firewall rules to block suspicious domains. 

Microsoft also recommends the following mitigations to reduce the impact of this threat.

• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats.
• Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
• Allow investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
• Understand and use PowerShell’s execution policies, which control how scripts are loaded and run. Set an appropriate execution policy based on your needs. Remember that execution policy alone is not foolproof; it can be bypassed.
• Turn on and monitor PowerShell logging.
  • Turn on script block logging, module logging, and transcription. These logs provide a trail of activity and help identify malicious behavior.
  • Dive deeper into PowerShell security features.
• Turn on tamper protection features to prevent attackers from stopping security services. Combine tamper protection with the DisableLocalAdminMerge setting to prevent attackers from using local administrator privileges to set antivirus exclusions.

Microsoft Defender XDR customers can turn on attack surface reduction rules to prevent common attack techniques: 

• Block executable files from running unless they meet a prevalence, age, or trusted list criterion
• Block execution of potentially obfuscated scripts
• Block JavaScript or VBScript from launching downloaded executable content

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender for Endpoint 

The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity.  

• Suspicious PowerShell download or encoded command execution 
• Suspicious Task Scheduler activity 
• Suspicious behavior by powershell.exe was observed 
• Node binary loading suspicious combination of libraries 
• Activity that might lead to information stealer 
• Possible theft of passwords and other sensitive web browser information 
• Suspicious DPAPI Activity 

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat Intelligence 360 report based on MDTI article

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• ClickFix and spoofed IT apps deliver RATs via Node.js over Cloudflare Quick Tunnels

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Suspicious JSC file 

DeviceProcessEvents  
| where isnotempty(DeviceId)  
| where ProcessVersionInfoOriginalFileName == 'node.exe'   
| where (ProcessCommandLine has_all (".jsc", ".js") and ProcessCommandLine matches regex @"\\\w*.jsc") 

Suspicious inline JavaScript execution 

Identify suspicious inline JavaScript 

DeviceProcessEvents  
| where isnotempty(DeviceId)  
| where ProcessVersionInfoOriginalFileName == 'node.exe'   
| where ProcessCommandLine has_all ('http', 'execSync',  'spawn', 'fs', 'path', 'zlib') 

Node.js-based infostealer activity 

Detect malicious access to sensitive credentials using Windows DPAPI 

DeviceEvents
| where isnotempty(DeviceId)
| where ActionType == "DpapiAccessed"
| where InitiatingProcessParentFileName endswith "powershell.exe"
| where InitiatingProcessFileName =~ "node.exe"
| where InitiatingProcessCommandLine  has_all ("-r", ".js") and InitiatingProcessCommandLine endswith ".jsc"
| where AdditionalFields has "SPCryptUnprotect"

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Below are the queries using Sentinel Advanced Security Information Model (ASIM) functions to hunt threats across both Microsoft first-party and third-party data sources. ASIM also supports deploying parsers to specific workspaces from GitHub, using an ARM template or manually.

• Scheduled Task Creation

Detect network indicators of compromise communication to C2 servers:

let selectedTimestamp = datetime(2025-04-15T00:00:00.0000000Z);
let ip = dynamic(['216.245.184.181', '212.237.217.182', '168.119.96.41']);
let url = dynamic(['sublime-forecasts-pale-scored.trycloudflare.com', 'washing-cartridges-watts-flags.trycloudflare.com', 'investigators-boxing-trademark-threatened.trycloudflare.com', 'fotos-phillips-princess-baker.trycloudflare.com', 'casting-advisors-older-invitations.trycloudflare.com', 'complement-parliamentary-chairs-hc.trycloudflare.com']);
search in (AlertEvidence,BehaviorEntities,CommonSecurityLog,DeviceInfo,DeviceNetworkEvents,DeviceNetworkInfo,DnsEvents,SecurityEvent,VMConnection,WindowsFirewall)
TimeGenerated between ((selectedTimestamp - 1m) .. (selectedTimestamp + 90d)) // from April 15th runs the search for last 90 days, change the above selectedTimestamp or 90d accordingly.
and 
(RemoteIP in (ip) or DestinationIP in (ip) or DeviceCustomIPv6Address1 in (ip) or DeviceCustomIPv6Address2 in (ip) or DeviceCustomIPv6Address3 in (ip) or DeviceCustomIPv6Address4 in (ip) or 
MaliciousIP in (ip) or SourceIP in (ip) or PublicIP in (ip) or LocalIPType in (ip) or RemoteIPType in (ip) or IPAddresses in (ip) or IPv4Dhcp in (ip) or IPv6Dhcp in (ip) or IpAddress in (ip) or 
NASIPv4Address in (ip) or NASIPv6Address in (ip) or RemoteIpAddress in (ip) or RemoteUrl in (url))

MITRE ATT&CK tactics and techniques observed 
 

Learn more

To know how Microsoft can help your team stop similar threats and prevent future compromise with human-led managed services, check out Microsoft Defender Experts for XDR.

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Threat actors misuse Node.js to deliver malware and other malicious payloads appeared first on Microsoft Security Blog.

As Tax Day approaches in the United States on April 15, Microsoft has observed several phishing campaigns using tax-related themes for social engineering to steal credentials and deploy malware. These campaigns notably use redirection methods such as URL shorteners and QR codes contained in malicious attachments and abuse legitimate services like file-hosting services and business profile pages to avoid detection. These campaigns lead to phishing pages delivered via the RaccoonO365 phishing-as-a-service (PhaaS) platform, remote access trojans (RATs) like Remcos, and other malware like Latrodectus, BruteRatel C4 (BRc4), AHKBot, and GuLoader.

Every year, threat actors use various social engineering techniques during tax season to steal personal and financial information, which can result in identity theft and monetary loss. These threat actors craft campaigns that mislead taxpayers into revealing sensitive information, making payments to fake services, or installing malicious payloads. Although these are well-known, longstanding techniques, they could still be highly effective if users and organizations don’t use advanced anti-phishing solutions and conduct user awareness and training. 

In this blog, we share details on the different campaigns observed by Microsoft in the past several months leveraging the tax season for social engineering. This also includes additional recommendations to help users and organizations defend against tax-centric threats. Microsoft Defender for Office 365 blocks and identifies the malicious emails and attachments used in the observed campaigns. Microsoft Defender for Endpoint also detects and blocks a variety of threats and malicious activities related but not limited to the tax threat landscape. Additionally, the United States Internal Revenue Service (IRS) does not initiate contact with taxpayers by email, text messages or social media to request personal or financial information.

BruteRatel C4 and Latrodectus delivered in tax and IRS-themed phishing emails

On February 6, 2025, Microsoft observed a phishing campaign that involved several thousand emails targeting the United States. The campaign used tax-themed emails that attempted to deliver the red-teaming tool BRc4 and Latrodectus malware. Microsoft attributes this campaign to Storm-0249, an access broker active since 2021 and known for distributing, at minimum, BazaLoader, IcedID, Bumblebee, and Emotet malware. The following lists the details of the phishing emails used in the campaign:

Example email subjects:

• Notice: IRS Has Flagged Issues with Your Tax Filing
• Unusual Activity Detected in Your IRS Filing
• Important Action Required: IRS Audit

Example PDF attachment names:

• lrs_Verification_Form_1773.pdf
• lrs_Verification_Form_2182.pdf
• lrs_Verification_Form_222.pdf

The emails contained a PDF attachment with an embedded DoubleClick URL that redirected users to a Rebrandly URL shortening link. That link in turn redirected the browser to a landing site that displayed a fake DocuSign page hosted on a domain masquerading as DocuSign. When users clicked the Download button on the landing page, the outcome depended on whether their system and IP address were allowed to access the next stage based on filtering rules set up by the threat actor:

• If access was permitted, the user received a JavaScript file from Firebase, a platform sometimes misused by cybercriminals to host malware. If executed, this JavaScript file downloaded a Microsoft Software Installer (MSI) containing BRc4 malware, which then installed Latrodectus, a malicious tool used for further attacks.
• If access was restricted, the user received a benign PDF file from royalegroupnyc[.]com. This served as a decoy to evade detection by security systems.

Latrodectus is a loader primarily used for initial access and payload delivery. It features dynamic command-and-control (C2) configurations, anti-analysis features such as minimum process count and network adapter check, C2 check-in behavior that splits POST data between the Cookie header and POST data. Latrodectus 1.9, the malware’s latest evolution first observed in February 2025, reintroduced scheduled tasks for persistence and added the ability to run Windows commands via the command prompt.

BRc4 is an advanced adversary simulation and red-teaming framework designed to bypass modern security defenses, but it has also been exploited by threat actors for post-exploitation activities and C2 operations.

Phishing email with QR code in a PDF links to RaccoonO365 infrastructure

Between February 12 and 28, 2025, tax-themed phishing emails were sent to over 2,300 organizations, mostly in the United States in the engineering, IT, and consulting sectors. The emails had an empty body but contained a PDF attachment with a QR code and subjects indicating that the documents needed to be signed by the recipient. The QR code pointed to a hyperlink associated with a RaccoonO365 domain: shareddocumentso365cloudauthstorage[.]com. The URL included the recipient email as a query string parameter, so the PDF attachments were all unique. RaccoonO365 is a PhaaS platform that provides phishing kits that mimic Microsoft 365 sign-in pages to steal credentials. The URL was likely a phishing page used to collect the targeted user’s credentials.

The emails were sent with a variety of display names, which are the names that recipients see in their inboxes, to make the emails appear as if they came from an official source. The following display names were observed in these campaigns:

• EMPLOYEE TAX REFUND REPORT
• Project Funding Request Budget Allocation
• Insurance Payment Schedule Invoice Processing
• Client Contract Negotiation Service Agreement
• Adjustment Review Employee Compensation
• Tax Strategy Update Campaign Goals
• Team Bonus Distribution Performance Review
• proposal request
• HR|Employee Handbooks

AHKBot delivered in IRS-themed phishing emails

On February 13, 2025, Microsoft observed a campaign using an IRS-themed email that targeted users in the United States. The email’s subject was IRS Refund Eligibility Notification and the sender was jessicalee@eboxsystems[.]com.

The email contained a hyperlink that directed users to download a malicious Excel file. The link (hxxps://business.google[.]com/website_shared/launch_bw[.]html?f=hxxps://historyofpia[.]com/Tax_Refund_Eligibility_Document[.]xlsm) abused an open redirector on what appeared to be a legitimate Google Business page. It redirected users to historyofpia[.]com, which was likely compromised to host the malicious Excel file. If the user opened the Excel file, they were prompted to enable macros, and if the user enabled macros, a malicious MSI file was downloaded and run.

The MSI file contained two files. The first file, AutoNotify.exe, is a legitimate copy of the executable used to run AutoHotKey script files. The second file, AutoNotify.ahk, is an AHKBot Looper script which is a simple infinite loop that receives and runs additional AutoHotKey scripts. The AHKBot Looper was in turn observed downloading the Screenshotter module, which includes code to capture screenshots from the compromised device. Both Looper and Screenshotter used the C2 IP address 181.49.105[.]59 to receive commands and upload screenshots.

GuLoader and Remcos delivered in tax-themed phishing emails

On March 3, 2025, Microsoft observed a tax-themed phishing campaign targeting CPAs and accountants in the United States, attempting to deliver GuLoader and Remcos malware. The campaign, which consisted of less than 100 emails, began with a benign rapport-building email from a fake persona asking for tax filing services due to negligence by a previous CPA. If the recipient replied, they would then receive a second email with the malicious PDF. This technique increases the click rates on the malicious payloads due to the established rapport between attacker and recipient.

The malicious PDF attachment contained an embedded URL. If the attachment was opened and the URL clicked, a ZIP file was downloaded from Dropbox. The ZIP file contained various .lnk files set up to mimic tax documents. If launched by the user, the .lnk file uses PowerShell to download a PDF and a .bat file. The .bat file in turn downloaded the GuLoader executable, which then installed Remcos.

GuLoader is a highly evasive malware downloader that leverages encrypted shellcode, process injection, and cloud-based hosting services to deliver various payloads, including RATs and infostealers. It employs multiple anti-analysis techniques, such as sandbox detection and API obfuscation, to bypass security defenses and ensure successful payload execution.

Remcos is a RAT that provides attackers with full control over compromised systems through keylogging, screen capturing, and process manipulation while employing stealth techniques to evade detection.

Mitigation and protection guidance

Microsoft recommends the following mitigations to reduce the impact of this threat.

• Educate users about protecting personal and business information in social media, filtering unsolicited communication, identifying lure links in phishing emails, and reporting reconnaissance attempts and other suspicious activity.
• Turn on Zero-hour auto purge (ZAP) in Defender for Office 365 to quarantine sent mail in response to newly-acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
• Pilot and deploy phishing-resistant authentication methods for users.
• Enforce multifactor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA from all devices in all locations at all times.
• Implement Entra ID Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites including phishing sites, scam sites, and sites that contain exploits and host malware.
• Educate users about using the browser URL navigator to validate that upon clicking a link in search results they have arrived at an expected legitimate domain.
• Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
• Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow and time-of-click verification of URLs and links in email messages, other Microsoft Office applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
• Enable investigation and remediation in full automated mode to allow Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
• Run endpoint detection and response (EDR) in block mode, so that Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach.

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components used in the campaigns shared in this blog as the following:

• Backdoor:Win64/BruteRatel
• Backdoor:Win32/BruteRatel
• Trojan:Win64/BruteRatel
• Trojan:Win32/BruteRatel
• Trojan:Win64/Latrodectus
• Trojan:Win32/Latrodectus
• TrojanDownloader:JS/Latrodectus
• Trojan:Win32/Remcos
• Backdoor:MSIL/Remcos
• Trojan:Win32/Guloader

Microsoft Defender for Endpoint

The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

• Possible Latrodectus activity
• Brute Ratel toolkit related behavior
• A file or network connection related to ransomware-linked actor Storm-0249 detected
• Suspicious phishing activity detected

Microsoft Defender for Office 365

Microsoft Defender for Office 365 offers enhanced solutions for blocking and identifying malicious emails. These alerts, however, can be triggered by unrelated threat activity.

• A potentially malicious URL click was detected 
• Email messages containing malicious URL removed after delivery
• Email messages removed after delivery
• A user clicked through to a potentially malicious URL
• Suspicious email sending patterns detected
• Email reported by user as malware or phish

Defender for Office 365 also detects the malicious PDF attachments used in the phishing campaign launched by Storm-0249.

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• Latrodectus
• PhaaS RaccoonO365 campaign
• Remcos delivery through tax document lures
• Storm-0249 distributes Latrodectus in malvertising campaign
• Storm-0249
• Brute Ratel C4
• QR code phishing with adversary-in-the-middle capability

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Furthermore, listed below are some sample queries utilizing Sentinel ASIM Functions for threat hunting across both Microsoft first-party and third-party data sources.

Hunt normalized Network Session events using the ASIM unifying parser _Im_NetworkSession for IOCs:

let lookback = 7d;
let ioc_ip_addr = dynamic(["181.49.105.59 "]); 
_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) 
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor

Hunt normalized File events using the ASIM unifying parser imFileEvent for IOCs:

let ioc_sha_hashes=dynamic(["fe0b2e0fe7ce26ae398fe6c36dae551cb635696c927761738f040b581e4ed422","bb3b6262a288610df46f785c57d7f1fa0ebc75178c625eaabf087c7ec3fccb6a","9728b7c73ef25566cba2599cb86d87c360db7cafec003616f09ef70962f0f6fc",
"3c482415979debc041d7e4c41a8f1a35ca0850b9e392fecbdef3d3bc0ac69960","165896fb5761596c6f6d80323e4b5804e4ad448370ceaf9b525db30b2452f7f5","a31ea11c98a398f4709d52e202f3f2d1698569b7b6878572fc891b8de56e1ff7",
"a1b4db93eb72a520878ad338d66313fbaeab3634000fb7c69b1c34c9f3e17727","0b22a0d84afb8bc4426ac3882a5ecd2e93818a2ea62d4d5cbae36d942552a36a","4d5839d70f16e8f4f7980d0ae1758bb5a88b061fd723ea4bf32b4b474c222bec","9bffe9add38808b3f6021e6d07084a06300347dd5d4b7e159d97e949735cff1e"]);  
imFileEvent
  | where SrcFileSHA256 in (ioc_sha_hashes) or TargetFileSHA256 in (ioc_sha_hashes)
  | extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
  | extend AlgorithmType = "SHA256"

 Hunt normalized Web Session events using the ASIM unifying parser _Im_WebSession for IOCs:

let lookback = 7d;
let ioc_domains = dynamic(["slgndocline.onlxtg.com ", "cronoze.com ", "muuxxu.com ", "proliforetka.com ", "porelinofigoventa.com ", "shareddocumentso365cloudauthstorage.com", "newsbloger1.duckdns.org"]);
  _Im_WebSession (starttime=ago(lookback), eventresult='Success', url_has_any=ioc_domains)
 | summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor  

In addition to the above, Sentinel users can also leverage the following queries, which may be relevant to the content of this blog.

•  Phishing link click observed in Network Traffic
•  Email Link Execution with Alert Correlation

Indicators of compromise

BruteRatel C4 and Lactrodectus infection chain

RaccoonO365

AHKBot

Remcos

References

• https://www.morado.io/blog-posts/understanding-raccoono365-phishing-as-a-service
• https://www.irs.gov/privacy-disclosure/report-phishing

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Threat actors leverage tax season to deploy tax-themed phishing campaigns appeared first on Microsoft Security Blog.

This phishing attack specifically targets individuals in hospitality organizations in North America, Oceania, South and Southeast Asia, and Northern, Southern, Eastern, and Western Europe, that are most likely to work with Booking.com, sending fake emails purporting to be coming from the agency.

In the ClickFix technique, a threat actor attempts to take advantage of human problem-solving tendencies by displaying fake error messages or prompts that instruct target users to fix issues by copying, pasting, and launching commands that eventually result in the download of malware. This need for user interaction could allow an attack to slip through conventional and automated security features. In the case of this phishing campaign, the user is prompted to use a keyboard shortcut to open a Windows Run window, then paste and launch a command that the phishing page adds to the clipboard.

Microsoft tracks this campaign as Storm-1865, a cluster of activity related to phishing campaigns leading to payment data theft and fraudulent charges. Organizations can reduce the impact of phishing attacks by educating users on recognizing such scams. This blog includes additional recommendations to help users and defenders defend against these threats.

Phishing campaign using the ClickFix social engineering technique

In this campaign, Storm-1865 identifies target organizations in the hospitality sector and targets individuals at those organizations likely to work with Booking.com. Storm-1865 then sends a malicious email impersonating Booking.com to the targeted individual. The content of the email varies greatly, referencing negative guest reviews, requests from prospective guests, online promotion opportunities, account verification, and more.

The email includes a link, or a PDF attachment containing one, claiming to take recipients to Booking.com. Clicking the link leads to a webpage that displays a fake CAPTCHA overlayed on a subtly visible background designed to mimic a legitimate Booking.com page. This webpage gives the illusion that Booking.com uses additional verification checks, which might give the targeted user a false sense of security and therefore increase their chances of getting compromised.

The fake CAPTCHA is where the webpage employs the ClickFix social engineering technique to download the malicious payload. This technique instructs the user to use a keyboard shortcut to open a Windows Run window, then paste and launch a command that the webpage adds to the clipboard:

The command downloads and launches malicious code through mshta.exe:

This campaign delivers multiple families of commodity malware, including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT. Depending on the specific payload, the specific code launched through mshta.exe varies. Some samples have downloaded PowerShell, JavaScript, and portable executable (PE) content.

All these payloads include capabilities to steal financial data and credentials for fraudulent use, which is a hallmark of Storm-1865 activity. In 2023, Storm-1865 targeted hotel guests using Booking.com with similar social engineering techniques and malware. In 2024, Storm-1865 targeted buyers using e-commerce platforms with phishing messages leading to fraudulent payment webpages. The addition of ClickFix to this threat actor’s tactics, techniques, and procedures (TTPs) shows how Storm-1865 is evolving its attack chains to try to slip through conventional security measures against phishing and malware.

Attribution

The threat actor that Microsoft tracks as Storm-1865 encapsulates a cluster of activity conducting phishing campaigns, leading to payment data theft and fraudulent charges. These campaigns have been ongoing with increased volume since at least early 2023 and involve messages sent through vendor platforms, such as online travel agencies and e-commerce platforms, and email services, such as Gmail or iCloud Mail.

Recommendations

Users can follow the recommendations below to spot phishing activity. Organizations can reduce the impact of phishing attacks by educating users on recognizing these scams.

Check the sender’s email address to ensure it’s legitimate. Assess whether the sender is categorized as first-time, infrequent, or marked as “[External]” by your email provider. Hover over the address to ensure that the full address is legitimate. Keep in mind that legitimate organizations do not send unsolicited email messages or make unsolicited phone calls to request personal or financial information. Always navigate to those organizations directly to sign into your account.

Contact the service provider directly. If you receive a suspicious email or message, contact the service provider directly using official contact forms listed on the official website.

Be wary of urgent calls to action or threats. Remain cautious of email notifications that call to click, call, or open an attachment immediately. Phishing attacks and scams often create a false sense of urgency to trick targets into acting without first scrutinizing the message’s legitimacy.

Hover over links to observe the full URL. Sometimes, malicious links are embedded into an email to trick the recipient. Simply clicking the link could let a threat actor download malware onto your device. Before clicking a link, ensure the full URL is legitimate. For best practice, rather than following a link from an email, search for the company website directly in your browser and navigate from there.

Search for typos. Phishing emails often contain typos, including within the body of the email, indicating that the sender is not a legitimate, professional source, or within the email domain or URL, as mentioned previously. Companies rarely send out messages without proofreading content, so multiple spelling and grammar mistakes can signal a scam message. In addition, check for very subtle misspellings of legitimate domains, a technique known as typosquatting. For example, you might see micros0ft[.]com, where the second o has been replaced by 0, or rnicrosoft[.]com, where the m has been replaced by r and n.

Microsoft recommends the following mitigations to reduce the impact of this threat.

• Pilot and deploy phishing-resistant authentication methods for users.
• Enforce multi-factor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA from all devices in all locations at all times.
• Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft 365 applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links used in phishing and other attacks.
• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attack tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
• Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
• Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
• Enable Zero-hour auto purge (ZAP) in Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.

Microsoft Defender XDR customers can turn on attack surface reduction rules to prevent common attack techniques:

• Block executable files from running unless they meet a prevalence, age, or trusted list criterion
• Block execution of potentially obfuscated scripts
• Block JavaScript or VBScript from launching downloaded executable content
• Block credential stealing from the Windows local security authority subsystem

Detection details

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

• TrojanDownloader:Win32/XWorm
• Trojan:Win32/XWorm
• Trojan:Win64/Xworm
• Trojan:VBS/XWorm
• Trojan:MSIL/Xworm
• Backdoor:MSIL/XWorm
• TrojanDropper:Win32/LummaStealer
• Trojan:Win64/LummaStealer
• Trojan:Win32/LummaStealer
• Trojan:MSIL/LummaStealer
• Trojan:JS/LummaStealer
• Trojan:Win32/VenomRat
• Trojan:MSIL/VenomRAT
• TrojanDropper:MSIL/AsyncRAT
• TrojanDownloader:Win64/AsyncRAT
• TrojanDownloader:VBS/AsyncRAT
• TrojanDownloader:PowerShell/AsyncRAT
• TrojanDownloader:MSIL/AsyncRAT
• Trojan:Win64/AsyncRat
• Trojan:Win32/AsyncRat
• Trojan:VBS/AsyncRAT
• Trojan:PowerShell/AsyncRAT
• Trojan:MSIL/AsyncRAT
• Trojan:JS/AsyncRat
• Trojan:BAT/AsyncRat
• RemoteAccess:MSIL/AsyncRAT
• Backdoor:MSIL/AsyncRAT
• Trojan:Win32/Danabot
• Trojan:VBS/Danabot
• Trojan:Win64/Danabot
• TrojanSpy:Win32/Danabot
• TrojanSpy:Win64/Danabot
• TrojanDownloader:VBS/Danabot
• TrojanDownloader:Win32/Danabot
• TrojanDownloader:PowerShell/NetSupport
• TrojanDownloader:JS/NetSupport
• Trojan:VBS/NetSupportRat
• TrojanDownloader:JS/NetSupportRat
• Trojan:Win32/NetSupportRat

Microsoft Defender for Endpoint

The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity:

• Suspicious command in RunMRU registry
• Suspicious PowerShell command line
• Use of living-off-the-land binary to run malicious code
• Possible theft of passwords and other sensitive web browser information
• Suspicious DPAPI Activity
• Suspicious mshta process launched
• Suspicious phishing activity detected

Microsoft Defender for Office 365

Microsoft Defender for Office 365 detects malicious activity associated with this threat through the following alerts:

• This URL has known registrant pattern for malicious activity.
• This URL impersonates booking.com
• This PDF has generic phishing traits.
• This URL has generic phishing traits.

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• Storm-1865 phishing campaigns over vendor platforms lead to payment data theft and fraudulent charges
• Danabot
• NetSupport RAT
• AsyncRAT
• Lumma stealer

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Network connections to known C2 infrastructure related to this activity

Look for network connections with known C2 infrastructure.

let c2Servers = dynamic(['92.255.57.155','147.45.44.131','176.113.115.170','31.177.110.99','185.7.214.54','176.113.115.225','87.121.221.124','185.149.146.164']);
DeviceNetworkEvents
| where RemoteIP has_any(c2Servers)
| project Timestamp, DeviceId, DeviceName, LocalIP, RemoteIP, InitiatingProcessFileName, InitiatingProcessCommandLine

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Below are the queries using Sentinel Advanced Security Information Model (ASIM) functions to hunt threats across both Microsoft first-party and third-party data sources. ASIM also supports deploying parsers to specific workspaces from GitHub, using an ARM template or manually.

Hunt normalized Network Session events using the ASIM unifying parser _Im_NetworkSession for IOCs:

let lookback = 30d;
let ioc_ip_addr = dynamic(['92.255.57.155','147.45.44.131','176.113.115.170','31.177.110.99','185.7.214.54','176.113.115.225','87.121.221.124','185.149.146.164']); 
_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor

Hunt normalized Web Session events using the ASIM unifying parser _Im_WebSession for IOCs:

let lookback = 30d;
let ioc_ip_addr = dynamic(['92.255.57.155','147.45.44.131','176.113.115.170','31.177.110.99','185.7.214.54','176.113.115.225','87.121.221.124','185.149.146.164']); 
_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr has_any (ioc_ip_addr)
 | summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor

Hunt normalized File events using the ASIM unifying parser imFileEvent for IOCs:

let ioc_sha_hashes =dynamic(["01ec22c3394eb1661255d2cc646db70a66934c979c2c2d03df10127595dc76a6"," f87600e4df299d51337d0751bcf9f07966282be0a43bfa3fd237bf50471a981e ","0c96efbde64693bde72f18e1f87d2e2572a334e222584a1948df82e7dcfe241d"]);  imFileEvent
  | where SrcFileSHA256 in (ioc_sha_hashes) or TargetFileSHA256 in (ioc_sha_hashes)
  | extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
  | extend AlgorithmType = "SHA256"

Indicators of compromise

References

• Booking.com Customers Hit by Phishing Campaign Delivered Via Compromised Hotels Accounts (Perception Point)
• What is XWorm Malware? (AnyRun)

Learn more

To know how Microsoft can help your team stop similar threats and prevent future compromise with human-led managed services, check out Microsoft Defender Experts for XDR.

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Phishing campaign impersonates Booking.com, delivers a suite of credential-stealing malware appeared first on Microsoft Security Blog.

GitHub was the primary platform used in the delivery of the initial access payloads and is referenced throughout this blog post; however, Microsoft Threat Intelligence also observed one payload hosted on Discord and another hosted on Dropbox.

The GitHub repositories, which were taken down, stored malware used to deploy additional malicious files and scripts. Once the initial malware from GitHub gained a foothold on the device, the additional files deployed had a modular and multi-stage approach to payload delivery, execution, and persistence. The files were used to collect system information and to set up further malware and scripts to exfiltrate documents and data from the compromised host. This activity is tracked under the umbrella name Storm-0408 that we use to track numerous threat actors associated with remote access or information-stealing malware and who use phishing, search engine optimization (SEO), or malvertising campaigns to distribute malicious payloads.

In this blog, we provide our analysis of this large-scale malvertising campaign, detailing our findings regarding the redirection chain and various payloads used across the multi-stage attack chain. We further provide recommendations for mitigating the impact of this threat, detection details, indicators of compromise (IOCs), and hunting guidance to locate related activity. By sharing this research, we aim to raise awareness about the tactics, techniques, and procedures (TTPs) used in this widespread activity so organizations can better prepare and implement effective mitigation strategies to protect their systems and data.

We would like to thank the GitHub security team for their prompt response and collaboration in taking down the malicious repositories.

GitHub activity and redirection chain

Since at least early December 2024, multiple hosts downloaded first-stage payloads from malicious GitHub repositories. The users were redirected to GitHub through a series of other redirections. Analysis of the redirector chain determined the attack likely originated from illegal streaming websites where users can watch pirated videos. The streaming websites embedded malvertising redirectors within movie frames to generate pay-per-view or pay-per-click revenue from malvertising platforms. These redirectors subsequently routed traffic through one or two additional malicious redirectors, ultimately leading to another website, such as a malware or tech support scam website, which then redirected to GitHub.

Multiple stages of malware were deployed in this campaign, as listed below, and the several different stages of activity that occurred depended on the payload dropped during the second stage.

• The first-stage payload that was hosted on GitHub served as the dropper for the next stage of payloads.
• The second-stage files were used to conduct system discovery and to exfiltrate system information that was Base64-encoded into the URL and sent over HTTP to an IP address. The information collected included data on memory size, graphic details, screen resolution, operating system (OS), and user paths.
• Various third-stage payloads were deployed depending on the second-stage payload. In general, the third-stage payload conducted additional malicious activities such as command and control (C2) to download additional files and to exfiltrate data, as well as defense evasion techniques.

The full redirect chain was composed of four to five layers. Microsoft researchers determined malvertising redirectors were contained within an iframe on illegal streaming websites.

There were several redirections that occurred before arriving at the malicious content stored on GitHub.

Attack chain

Once the redirection to GitHub occurred, the malware hosted on GitHub established the initial foothold on the user’s device and functioned as a dropper for additional payload stages and running malicious code. The additional payloads included information stealers to collect system and browser information on the compromised device, of which most were either Lumma stealer or an updated version of Doenerium. Depending on the initial payload, the deployment of NetSupport, a remote monitoring and management (RMM) software, was also often deployed alongside the infostealer. Besides the information stealers, PowerShell, JavaScript, VBScript, and AutoIT scripts were run on the host. The threat actors incorporated use of living-off-the-land binaries and scripts (LOLBAS) like PowerShell.exe, MSBuild.exe, and RegAsm.exe for C2 and data exfiltration of user data and browser credentials.

After the initial foothold was gained, the activity led to a modular and multi-stage approach to payload delivery, execution, and persistence. Each stage dropped another payload with a different function, as outlined below. Actions conducted across these stages include system discovery (memory, GPU, OS, signed-in users, and others), opening browser credential files, Data Protection API (DPAPI) crypt data calls, and other functions such as obfuscated script execution and named pipe creations to conduct data exfiltration. Persistence was achieved through modification of the registry run keys and the addition of a shortcut file to the Windows Startup folder.

Several stages of malicious activity to conduct deployment of additional malware, collections, and exfiltration of data to a C2 were observed. While not every single initial payload followed these exact steps, this is an overall view of what occurred across most incidents analyzed:

First-stage payload: Establishing a foothold on the host

During the first stage, a payload is dropped onto the user’s device from the binary hosted on GitHub, establishing a foothold on that device. As of mid-January 2025, the first-stage payloads discovered were digitally signed with a newly created certificate. A total of twelve different certificates were identified, all of which have been revoked.

Most of these initial payloads dropped the following legitimate files to leverage their functionality. These files were either leveraged by the first-stage payload or by later-stage payloads, depending on the actions being conducted.

Depending on the first-stage payload that was initially established on the compromised device, Microsoft observed different second-stage payloads and several different methods for delivering these payloads to the device.

Second-stage payload: System discovery, collection, and exfiltration

The main purpose of the second-stage payload is to conduct system discovery and collect that data for exfiltration to the C2. The system information collected includes data such as memory size, graphic card details, screen resolution, operating system, user paths, and a reference to the second-stage payload’s file name.

This was accomplished by querying the registry key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionProductName for the Windows OS version and running commands, such as the echo command, to gather the device’s name (%COMPUTERNAME%) and domain name (%USERDOMAIN%).

System data collected by the second-stage payload is Base64-encoded and exfiltrated as a query parameter to an IP address.

Third-stage payload: PowerShell and .exe binary

Depending on the second-stage payload, either one or multiple executables are dropped onto the compromised device, and sometimes an accompanying encoded PowerShell script. These files initiate a chain of events that conduct command execution, payload delivery, defensive evasion, persistence, C2 communications, and data exfiltration. The analysis of the dropped executables is first discussed below, followed by review of the PowerShell scripts observed.

Third-stage .exe analysis

The second-stage payloads run the dropped third-stage executables using the command prompt (for example, cmd.exe  /d /s /c “”C:Users<user>AppDataLocalTempApproachAllan.exe””). The /c flag ensures that the command runs and exits quickly. When the third-stage .exe runs, it drops a command file (.cmd) and launches it using the command prompt (for example, “cmd.exe” /c copy Beauty Beauty.cmd && Beauty.cmd). The .cmd file performs several actions, such as running tasklist, to initiate the discovery of running programs. This is followed by the findstr to search for keywords associated with security software:

The .cmd file also concatenates multiple files into one with a single character file name: “cmd /c copy /b ..Verzeichnis + ..Controlling + ..Constitute + ..Enjoyed + ..Confusion + ..Min +..Statutory J”. This single character filename is used next.

Following this, the third-stage .exe produces an AutoIT v3 interpreter file that is renamed from the typical file name of AutoIt3.exe and uses a .com file extension. The .cmd file initiates the execution of the .com file against the single character binary (such as Briefly.com J). Note, most of the second-stage payloads follow this progression chain, and as mentioned a second-stage payload can also drop multiple executables, all following the same process. For example:

First stage

• X-essentiApp.exe

Second stage

• Ionixnignx.exe

Third stage

• EverybodyViewing.exe
• ReliefOrganizational.exe
• InflationWinston.exe

Third-stage command files

• Beauty.cmd
• Possess.cmd
• Villa.cmd

Fourth-stage AutoIT .com files

• Alexandria.com
• Kills.com
• Briefly.com

We observed multiple .com files originating from different dropped executables, each performing distinct functions while occasionally overlapping in behavior. These files facilitate persistence, process injection, remote debugging, and data exfiltration through various mechanisms. One .com file, such as Alexandria.com, drops a .scr file (another renamed AutoIT interpreter), and a .js (JavaScript) file with the same name as the .scr file. The purpose of the JavaScript file is to ensure persistence by creating a .url internet shortcut that points to the JavaScript file and is placed in the Startup folder, ensuring that the .scr file executes when the .js file executes (through Wscript.exe) upon user sign-in. Alternatively, persistence can be achieved using scheduled task creation. The .scr file can initiate C2 connections, enable remote debugging on Chrome or Edge within a hidden desktop session, or create TCP listening sockets on ports 9220-9229. This functionality allows threat actors to monitor browsing activity and interact with an active browser instance. These files can also open sensitive data files, indicating their role in facilitating post-exploitation activities.

Another .com file, such as affiliated.com, also focuses on remote debugging and browser monitoring. In addition to remote monitoring, affiliated.com initiates network connections to Telegram, Let’s Encrypt, and threat actor domains, potentially for C2 or exfiltration. It also accesses DPAPI to decrypt sensitive stored credentials and retrieve browser data.

The final observed .com file, such as Briefly.com, exhibits behavior similar to affiliated.com but extends its capabilities to include screenshot capture, data exfiltration, and PowerShell-based execution. This file accesses browser and user data for collection, establishes connections to Pastebin and additional C2 domains, and drops the fourth-stage PowerShell script.

The order in which these .com files run is not strictly defined, as one or multiple files can perform overlapping functions depending on the third-stage payload. In many cases, the .com files also leverage LOLBAS like RegAsm.exe by dropping a legitimate file into the %TEMP% directory or injecting malicious code into it using NtAllocateVirtualMemory and SetThreadContext API function calls. RegAsm.exe is used to establish C2 connections over TCP ports 15647 or 9000, exfiltrating data, accessing DPAPI for decryption, monitoring keystrokes using the WH_KEYBOARD_LL hook, and more. This flexibility in execution allows threat actors to tailor their approach based on environmental factors, such as security configurations and user activity.

Browser data files seen accessed:

• AppDataRoamingMozillaFirefoxProfiles<user profile uid>.default-releasecookies.sqlite
• AppDataRoamingMozillaFirefoxProfiles<user profile uid>.default-releaseformhistory.sqlite
• AppDataRoamingMozillaFirefoxProfiles<user profile uid>.default-releasekey4.db
• AppDataRoamingMozillaFirefoxProfiles<user profile uid>.default-releaselogins.json
• AppDataLocalGoogleChromeUser DataDefaultWeb Data
• AppDataLocalGoogleChromeUser DataDefaultLogin Data
• AppDataLocalMicrosoftEdgeUser DataDefaultLogin Data

User data file paths seen accessed:

• C:\Users<user>\OneDrive
• C:\Users<user>\Documents
• C:\Users<user>\Downloads

Third-stage PowerShell analysis

If a PowerShell script is also dropped by the second-stage payload, it includes Base64-obfuscated commands to conduct actions, such as use curl to download additional files like NetSupport from the C2, create persistence for the NetSupport RAT, and exfiltrate system information to C2 servers. To ensure no errors or the progress meter is displayed on the compromised device, the curl command is often used with the –silent option when downloading files from the C2. PowerShell is often configured to run without restrictions with the -ExecutionPolicy Bypass parameter.

As an example, in some of the incidents, when the second-stage payload runs, a PowerShell script is dropped and executed. The script sends the compromised device’s name to the C2 and downloads NetSupport RAT from the same C2.

• Second-stage payload: Squarel.exe
• PowerShell script: SHA-256: d70ccae7914fc8c36c9e11b2a7f10bebd7f5696e78d8836554f4990b0f688dbb
• C2 domain: keikochio[.]com
• NetSupport RAT: SHA-256: 32a828e2060e92b799829a12e3e87730e9a88ecfa65a4fc4700bdcc57a52d995

In another case, a second-stage payload drops a PowerShell script, which connects to hxxps://ipinfo[.]io to gather the compromised device’s external-facing IP address. This information is sent to a Telegram chat, then drops presentationhost.exe (a renamed NetSupport binary) and remcmdstub.exe (NetSupport Command Manager) into the %TEMP% directory. Finally, the PowerShell script establishes persistence for presentationhost.exe by adding it to the auto-start extensibility points (ASEP) registry keys. When it runs, the NetSupport RAT connects to the C2 and captures a screenshot of the compromised device’s desktop. It also delivers a Lumma executable that drops a VBScript file with the same name. The VBScript file runs encoded PowerShell to initiate C2 connections and launches MSBuild.exe to enable Chrome remote debugging on a hidden desktop. Additionally, presentationhost.exe initiates remcmdstub.exe, which leverages iScrPaint.exe (iTop Screen Recorder) to run MSBuild.exe and access browser credential files for exfiltration. The iScrPaint.exe file also establishes persistence by placing a .lnk shortcut in the Windows Startup folder, ensuring it runs on system reboot.

• Second-stage payload: Application.exe
• PowerShell script: SHA-256: 483796a64f004a684a7bc20c1ddd5c671b41a808bc77634112e1703052666a64
• C2: hxxp://5.10.250[.]240/fakeurl.htm

The last observed third-stage PowerShell script was dropped by three second-stage payloads. The script sends the compromised device’s name to the C2 server. It then changes the working directory to $env:APPDATA, before using Start-BitsTransfer to download NetSupport from the C2. To evade detection, it modifies system security settings forcing TLS1.2 for encrypted C2 communication. These files are extracted into a newly created WinLibraryClient directory under AppData and then are launched. The script establishes persistence for the client32.exe (NetSupport RAT) by modifying the ASEP registry. Client32.exe initiates C2 connections to hxxp://79.132.128[.]77/fakeurl.htm.

• Second-stage payloads: SalmonSamurai.exe, LakerBaker.exe, and DisplayPhotoViewer.exe
• PowerShell script: SHA-256: 670218cfc5c16d06762b6bc74cda4902087d812e72c52d6b9077c4c4164856b6
• C2 domain: stocktemplates[.]net

Additionally, one observed execution included registry enumeration of HKCU:SoftwareMicrosoftWindowsCurrentVersionUninstall to identify installed applications and security software. It also queries the system’s domain status using Windows Management Instrumentation (WMI) and scans for cryptocurrency wallets, including Ledger Live, Trezor Suite, KeepKey, BCVault, OneKey, and BitBox, indicating potential financial data theft.

Fourth-stage PowerShell analysis

Depending on the .com file that ran (like Briefly.com), the renamed AutoIT file may drop a PowerShell script (SHA-256: 2a29c9904d1860ea3177da7553c8b1bf1944566e5bc1e71340d9e0ff079f0bd3). The obfuscated PowerShell code uses the Add-MpPreference cmdlet to modify Microsoft Defender to add in exclusion paths for Microsoft Defender, so the specified folders are not scanned.

The script above is sometimes followed by an instance of Base64-encoded PowerShell commands. The PowerShell commands perform the following actions:

• Sends a web request to hxxps://360[.]net and closes the response.
• Sends a web request to hxxps://baidu[.]com and closes the response.
• Downloads data from hxxps://klipcatepiu0[.]shop/int_clp_sha.txt using a web client.
• Writes the downloaded data to a memory stream and saves it as a .zip file named null.zip (SHA-256: f07b8e5622598c228bfc9bff50838a3c4fffd88c436a7ef77e6214a40b0a2bae) in the C:Users<Username>AppDataLocalTemp directory.

Recommendations

Microsoft recommends the following mitigations to reduce the impact of this threat.

Strengthen Microsoft Defender for Endpoint configuration

• Ensure that tamper protection is enabled in Microsoft Defender for Endpoint. 
• Enable network protection in Microsoft Defender for Endpoint. 
• Turn on web protection.
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.     
• Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume.  
• Microsoft Defender XDR customers can turn on the following attack surface reduction rules to prevent common attack techniques used by threat actors. 
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion 
  • Block execution of potentially obfuscated scripts
  • Block JavaScript or VBScript from launching downloaded executable content
  • Block process creations originating from PSExec and WMI commands
  • Block credential stealing from the Windows local security authority subsystem 
  • Block use of copied or impersonated system tools

Strengthen operating environment configuration

• Require multifactor authentication (MFA). While certain attacks such as adversary-in-the-middle (AiTM) phishing attempt to circumvent MFA, implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats.
  • Leverage phishing-resistant authentication methods such as FIDO Tokens, or Microsoft Authenticator with passkey. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.
• Implement Entra ID Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
• Enable Network Level Authentication for Remote Desktop Service connections.
• Enable Local Security Authority (LSA) protection to block credential stealing from the Windows local security authority subsystem. 
• AppLocker can restrict specific software tools prohibited within the organization, such as reconnaissance, fingerprinting, and RMM tools, or grant access to only specific users.

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

• Trojan:Win64/LummaStealer
• Trojan:Win32/Malgent
• Behavior:Win32/Eldorado
• Behavior:Win32/LuammaStealer
• Trojan:PowerShell/Powdow
• Trojan:Win64/Shaolaod
• Behavior:Win64/Shaolaod

Microsoft Defender for Endpoint

The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity.

• Possible theft of passwords and other sensitive web browser information
• Possible Lumma Stealer activity
• Renamed AutoIt tool
• Use of living-off-the-land binary to run malicious code
• Suspicious startup item creation
• Suspicious Scheduled Task Process Launched
• Suspicious DPAPI Activity
• Suspicious implant process from a known emerging threat
• Security software tampering
• Suspicious activity linked to a financially motivated threat actor detected
• Ransomware-linked threat actor detected
• A file or network connection related to a ransomware-linked emerging threat activity group detected
• Information stealing malware activity
• Possible NetSupport Manager activity
• Suspicious sequence of exploration activities
• Defender detection bypass
• Suspicious Location of Remote Management Software
• A process was injected with potentially malicious code
• Process hollowing detected
• Suspicious PowerShell download or encoded command execution
• Suspicious PowerShell command line
• Suspicious behavior by cmd.exe was observed
• Suspicious Security Software Discovery
• Suspicious discovery indicative of Virtualization/Sandbox Evasion
• A process was launched on a hidden desktop
• Monitored keystrokes
• Suspicious Process Discovery
• Suspicious Javascript process
• A suspicious file was observed
• Anomaly detected in ASEP registry

Microsoft Defender for Cloud

The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity.

• Detected suspicious combination of HTA and PowerShell
• Suspicious PowerShell Activity Detected
• Traffic detected from IP addresses recommended for blocking
• Attempted communication with suspicious sinkholed domain
• Communication with suspicious domain identified by threat intelligence
• Detected obfuscated command line
• Detected suspicious named pipe communications

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• Storm-0408
• Agent Tesla credential theft malware
• Information stealers
• Lumma stealer
• Abuse of remote monitoring and management tools
• Malicious use of PowerShell

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Github-hosted first-stage payload certificate serial numbers

let specificSerialNumbers = dynamic(["70093af339876742820d7941", "15042512e67e8275f3f7f36b", "5608cab7e2ce34d53abcbb73",
 "0fa27d2553f24da79d1cc6bd8773ee9a", "7a7bf2ae0cbc0f5500db2946", "30d6c83a715bddb32e7956fe52d6b352",
  "301385aa36fae635e74bb88e", "30013cbbb16a7fd3c57f82707fb99c32", "5d00264a6b804ae6b28d9b16",
   "3a9c76f8304f77bd271921d9982f1ab6", "01f2c6c363767056abd80e9c", "0b09c88c0c8d15bed51a9eb4440f4bb0"]); 
union
(
    DeviceFileCertificateInfo
    | where CertificateSerialNumber in (specificSerialNumbers)
    | project DeviceName, CertificateSerialNumber, Signer, SHA1, IsSigned, Issuer, Timestamp
),
(
    DeviceTvmCertificateInfo
    | where SerialNumber in (specificSerialNumbers)
    | project DeviceId, SerialNumber, SignatureAlgorithm, Thumbprint, Path, IssueDate, ExpirationDate
)

Dropbox-hosted first-stage payload certificate serial number

Surface devices that may contain first-stage payloads hosted on Dropbox related to this activity. This query will search for the unique serial number of the known certificate related to this activity.

let specificSerialNumbers = dynamic(["7a7bf2ae0cbc0f5500db2946"]); 
union
(
    DeviceFileCertificateInfo
    | where CertificateSerialNumber in (specificSerialNumbers)
    | project DeviceName, CertificateSerialNumber, Signer, SHA1, IsSigned, Issuer, Timestamp
),
(
    DeviceTvmCertificateInfo
    | where SerialNumber in (specificSerialNumbers)
    | project DeviceId, SerialNumber, SignatureAlgorithm, Thumbprint, Path, IssueDate, ExpirationDate
)

Second-stage C2 IP addresses

Surface devices that may have communicated with second stage C2 IP addresses related to this activity.

let ipAddressToSearch = dynamic(["159.100.18.192", "192.142.10.246", "79.133.46.35", "84.200.24.191", "84.200.24.26", "89.187.28.253", "185.92.181.1"]);
union isfuzzy=true
(
    AzureDiagnostics
    | where identity_claim_ipaddr_s == ipAddressToSearch or conditions_sourceIP_s == ipAddressToSearch or CallerIPAddress == ipAddressToSearch or clientIP_s == ipAddressToSearch or clientIp_s == ipAddressToSearch or primaryIPv4Address_s == ipAddressToSearch or conditions_destinationIP_s == ipAddressToSearch
    | project Timestamp = TimeGenerated, Table = "AzureDiagnostics", IPAddress = coalesce(identity_claim_ipaddr_s, conditions_sourceIP_s, CallerIPAddress, clientIP_s, clientIp_s, primaryIPv4Address_s, conditions_destinationIP_s), AdditionalInfo = tostring(AdditionalFields)
),
(
    IdentityQueryEvents
    | where IPAddress == ipAddressToSearch or DestinationIPAddress == ipAddressToSearch
    | project Timestamp, Table = "IdentityQueryEvents", IPAddress = coalesce(IPAddress, DestinationIPAddress), AdditionalInfo = Query
),
(
    AADSignInEventsBeta
    | where IPAddress == ipAddressToSearch
    | project Timestamp, Table = "AADSignInEventsBeta", IPAddress, AdditionalInfo = UserAgent
),
(
    Heartbeat
    | where ComputerIP == ipAddressToSearch
    | project Timestamp = TimeGenerated, Table = "Heartbeat", IPAddress = ComputerIP, AdditionalInfo = OSName
),
(
    CloudAppEvents
    | where IPAddress == ipAddressToSearch
    | project Timestamp, Table = "CloudAppEvents", IPAddress, AdditionalInfo = UserAgent
),
(
    DeviceNetworkEvents
    | where LocalIP == ipAddressToSearch or RemoteIP == ipAddressToSearch
    | project Timestamp, Table = "DeviceNetworkEvents", IPAddress = coalesce(LocalIP, RemoteIP), AdditionalInfo = InitiatingProcessCommandLine
),
(
    AADUserRiskEvents
    | where IpAddress == ipAddressToSearch
    | project Timestamp = TimeGenerated, Table = "AADUserRiskEvents", IPAddress = IpAddress, AdditionalInfo = RiskEventType
),
(
    AADNonInteractiveUserSignInLogs
    | where IPAddress == ipAddressToSearch
    | project Timestamp = TimeGenerated, Table = "AADNonInteractiveUserSignInLogs", IPAddress, AdditionalInfo = UserAgent
),
(
    MicrosoftAzureBastionAuditLogs
    | where TargetVMIPAddress == ipAddressToSearch or ClientIpAddress == ipAddressToSearch
    | project Timestamp = TimeGenerated, Table = "MicrosoftAzureBastionAuditLogs", IPAddress = coalesce(TargetVMIPAddress, ClientIpAddress), AdditionalInfo = UserAgent
)
| sort by Timestamp desc

Fourth-stage C2 IP addresses

Surface devices that may have communicated with fourth stage C2 IP addresses related to this activity.

let ipAddressToSearch = dynamic(["45.141.84.60", "91.202.233.18", "154.216.20.131", "5.10.250.240", "79.132.128.77"]);
union isfuzzy=true
(
    AzureDiagnostics
    | where identity_claim_ipaddr_s == ipAddressToSearch or conditions_sourceIP_s == ipAddressToSearch or CallerIPAddress == ipAddressToSearch or clientIP_s == ipAddressToSearch or clientIp_s == ipAddressToSearch or primaryIPv4Address_s == ipAddressToSearch or conditions_destinationIP_s == ipAddressToSearch
    | project Timestamp = TimeGenerated, Table = "AzureDiagnostics", IPAddress = coalesce(identity_claim_ipaddr_s, conditions_sourceIP_s, CallerIPAddress, clientIP_s, clientIp_s, primaryIPv4Address_s, o),
(
    IdentityQueryEvents
    | where IPAddress == ipAddressToSearch or DestinationIPAddress == ipAddressToSearch
    | project Timestamp, Table = "IdentityQueryEvents", IPAddress = coalesce(IPAddress, DestinationIPAddress), AdditionalInfo = Query
),
(
    AADSignInEventsBeta
    | where IPAddress == ipAddressToSearch
    | project Timestamp, Table = "AADSignInEventsBeta", IPAddress, AdditionalInfo = UserAgent
),
(
    Heartbeat
    | where ComputerIP == ipAddressToSearch
    | project Timestamp = TimeGenerated, Table = "Heartbeat", IPAddress = ComputerIP, AdditionalInfo = OSName
),
(
    CloudAppEvents
    | where IPAddress == ipAddressToSearch
    | project Timestamp, Table = "CloudAppEvents", IPAddress, AdditionalInfo = UserAgent
),
(
    DeviceNetworkEvents
    | where LocalIP == ipAddressToSearch or RemoteIP == ipAddressToSearch
    | project Timestamp, Table = "DeviceNetworkEvents", IPAddress = coalesce(LocalIP, RemoteIP), AdditionalInfo = InitiatingProcessCommandLine
),
(
    AADUserRiskEvents
    | where IpAddress == ipAddressToSearch
    | project Timestamp = TimeGenerated, Table = "AADUserRiskEvents", IPAddress = IpAddress, AdditionalInfo = RiskEventType
),
(
    AADNonInteractiveUserSignInLogs
    | where IPAddress == ipAddressToSearch
    | project Timestamp = TimeGenerated, Table = "AADNonInteractiveUserSignInLogs", IPAddress, AdditionalInfo = UserAgent
),
(
    MicrosoftAzureBastionAuditLogs
    | where TargetVMIPAddress == ipAddressToSearch or ClientIpAddress == ipAddressToSearch
    | project Timestamp = TimeGenerated, Table = "MicrosoftAzureBastionAuditLogs", IPAddress = coalesce(TargetVMIPAddress, ClientIpAddress), AdditionalInfo = UserAgent
)
| sort by Timestamp desc

Browser remote debugging 

Identify AutoIT scripts launching chromium-based browsers (such as chrome.exe, msedge.exe, brave.exe) in remote debugging mode.

DeviceProcessEvents 
| where InitiatingProcessVersionInfoInternalFileName == "AutoIt3.exe" // Check for "AutoIt" scripts, even if it's renamed.  
| where ProcessCommandLine has "--remote-debugging-port" // Identify Chromium based browsers (chrome.exe, msedge.exe, brave.exe etc) being launched in remote debugging mode. 
| project DeviceId, Timestamp, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine

DPAPI decryption via AutoIT

Identify DPAPI decryption activity originating from AutoIT scripts.

DeviceEvents
| where ActionType == "DpapiAccessed"
| where InitiatingProcessVersionInfoInternalFileName == "AutoIt3.exe"
| where (AdditionalFields has_any("Google Chrome", "Microsoft Edge") and AdditionalFields has_any("SPCryptUnprotect"))
| extend json = parse_json(AdditionalFields)
| extend dataDesp = tostring(json.DataDescription.PropertyValue)
| extend opType = tostring(json.OperationType.PropertyValue)
| where (dataDesp in~ ("Google Chrome", "Microsoft Edge") and opType =~ "SPCryptUnprotect")
| project Timestamp, ReportId, DeviceId, ActionType, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, AdditionalFields, dataDesp, opType

DPAPI decryption via LOLBAS binaries

Identify DPAPI decryption activity originating from LOLBAS binaries (RegAsm.exe and MSBuild.exe).

DeviceEvents
| where ActionType == "DpapiAccessed"
| where InitiatingProcessFileName has_any ("RegAsm.exe", "MSBuild.exe")
| where (AdditionalFields has_any("Google Chrome", "Microsoft Edge") and  AdditionalFields has_any("SPCryptUnprotect"))
| extend json = parse_json(AdditionalFields)
| extend dataDesp = tostring(json.DataDescription.PropertyValue)
| extend opType = tostring(json.OperationType.PropertyValue)
| where (dataDesp in~ ("Google Chrome", "Microsoft Edge") and opType =~ "SPCryptUnprotect")
| project Timestamp, ReportId, DeviceId, ActionType, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, AdditionalFields, dataDesp, opType

Sensitive browser file access via AutoIT

Identify AutoIT scripts (renamed or otherwise) accessing sensitive browser files.

let browserDirs = pack_array(@"GoogleChromeUser Data", @"MicrosoftEdgeUser Data", @"MozillaFirefoxProfiles"); 
let browserSensitiveFiles = pack_array("Web Data", "Login Data", "key4.db", "formhistory.sqlite", "cookies.sqlite", "logins.json", "places.sqlite", "cert9.db");
DeviceEvents
| where AdditionalFields has_any ("FileOpenSource") // Filter for "File Open" events.
| where InitiatingProcessVersionInfoInternalFileName == "AutoIt3.exe"
| where (AdditionalFields has_any(browserDirs) or  AdditionalFields has_any(browserSensitiveFiles)) 
| extend json = parse_json(AdditionalFields)
| extend File_Name = tostring(json.FileName.PropertyValue)
| where (File_Name has_any (browserDirs) and File_Name has_any (browserSensitiveFiles))
| project Timestamp, ReportId, DeviceId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, File_Name

Sensitive browser file access via LOLBAS binaries

Identify LOLBAS binaries (RegAsm.exe and MSBuild.exe) accessing sensitive browser files.

let browserDirs = pack_array(@"GoogleChromeUser Data", @"MicrosoftEdgeUser Data", @"MozillaFirefoxProfiles"); 
let browserSensitiveFiles = pack_array("Web Data", "Login Data", "key4.db", "formhistory.sqlite", "cookies.sqlite", "logins.json", "places.sqlite", "cert9.db");
DeviceEvents
| where AdditionalFields has_any ("FileOpenSource") // Filter for "File Open" events.
| where InitiatingProcessFileName has_any ("RegAsm.exe", "MSBuild.exe")
 | where (AdditionalFields has_any(browserDirs) or  AdditionalFields has_any(browserSensitiveFiles)) 
| extend json = parse_json(AdditionalFields)
| extend File_Name = tostring(json.FileName.PropertyValue)
| where (File_Name has_any (browserDirs) and File_Name has_any (browserSensitiveFiles))
| project Timestamp, ReportId, DeviceId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, File_Name

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Indicators of compromise

Streaming website domains with malicious iframe

Malicious iframe redirector domains

Malvertisement distributor

Malvertising website domains

GitHub referral URLs

GitHub URLs

DropBox URL

Discord URL

First stage GitHub-hosted payloads

First-stage Dropbox-hosted payload

First-stage Discord-hosted payload

Certificate signatures of GitHub-hosted payloads

Certificate signature of Dropbox-hosted payload

Second-stage payloads

Second-stage C2s

Third-stage payloads: .exe and PowerShell files

Fourth-stage AutoIT, NetSupport RAT, PowerShell, and Lumma

Third-stage C2s

Fourth-stage C2s

Fourth-stage testing connectivity sites

References

• https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe
• https://github.com/antivirusevasion69/doenerium
• https://curl.se/docs/manpage.html#-s
• https://www.virustotal.com/gui/file/2a29c9904d1860ea3177da7553c8b1bf1944566e5bc1e71340d9e0ff079f0bd3

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

Hear more about this discovery and how threat actors in this campaign leverage trusted platforms and advanced techniques to achieve their malicious goals in this episode of the Microsoft Threat Intelligence podcast, hosted by Sherrod DeGrippo: https://thecyberwire.com/podcasts/microsoft-threat-intelligence/39/notes. To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Malvertising campaign leads to info stealers hosted on GitHub appeared first on Microsoft Security Blog.

Between March and April 2024, Microsoft Threat Intelligence observed Secret Blizzard using the Amadey bot malware relating to cybercriminal activity that Microsoft tracks as Storm-1919 to download its backdoors to specifically selected target devices associated with the Ukrainian military. This was at least the second time since 2022 that Secret Blizzard has used a cybercrime campaign to facilitate a foothold for its own malware in Ukraine. Microsoft also assesses that in January 2024, Secret Blizzard used the backdoor of Storm-1837, a Russia-based threat actor that targets Ukrainian military drone pilots, to download the Tavdig and KazuarV2 backdoors on a target device in Ukraine.

Commandeering other threat actors’ access highlights Secret Blizzard’s approach to diversifying its attack vectors, including using strategic web compromises (watering holes) and adversary-in-the-middle (AiTM) campaigns likely facilitated via legally mandated intercept systems in Russia such as the “System for Operative Investigative Activities” (SORM). More commonly, Secret Blizzard uses spear phishing as its initial attack vector, then server-side and edge device compromises to facilitate further lateral movement within a network of interest.

As previously detailed, Secret Blizzard is known for targeting a wide array of sectors, but most prominently ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies worldwide. Secret Blizzard focuses on gaining long-term access to systems for intelligence collection, often seeking out advanced research and information of political importance, using extensive resources such as multiple backdoors. The United States Cybersecurity and Infrastructure Security Agency (CISA) has attributed Secret Blizzard to Center 16 of Russia’s Federal Security Service (FSB). Secret Blizzard overlaps with the threat actor tracked by other security vendors as Turla, Waterbug, Venomous Bear, Snake, Turla Team, and Turla APT Group.

Microsoft tracks Secret Blizzard campaigns and, when we are able, directly notifies customers who have been targeted or compromised, providing them with the necessary information to help secure their environments. As part of our continuous monitoring, analysis, and reporting on the threat landscape, we are sharing our research on Secret Blizzard’s activity to raise awareness of this threat actor’s tradecraft and to educate organizations on how to harden their attack surfaces against this and similar activity. In addition, we highlight that while Secret Blizzard’s use of infrastructure and access by other threat actors is unusual, it is not unique, and therefore organizations that have been compromised by one threat actor may also find themselves compromised by another through the initial intrusion.

Amadey bot use and post-compromise activities

Between March and April 2024, Microsoft observed Secret Blizzard likely commandeering Amadey bots to ultimately deploy their custom Tavdig backdoor. Microsoft tracks some cybercriminal activity associated with Amadey bots as Storm-1919. Storm-1919’s post-infection goal is most often to deploy XMRIG cryptocurrency miners onto victim devices. Amadey bots have been deployed by Secret Blizzard and other threat actors comprising Storm-1919 to numerous devices around the world during 2024.

Microsoft assesses that Secret Blizzard either used the Amadey malware as a service (MaaS) or accessed the Amadey command-and-control (C2) panels surreptitiously to download a PowerShell dropper on target devices. The PowerShell dropper contained a Base64-encoded Amadey payload appended by code that invoked a request to Secret Blizzard C2 infrastructure.

The Amadey instance was version 4.18, but generally had the same functionality as the Amadey bot described in a Splunk blog from July 2023 analyzing version 3.83.

The Amadey sample gathered a significant amount of information about the victim system, including the administrator status and device name from the registry, and checked for installed antivirus software by seeing if it had a folder in C:\ProgramData. Numbers were recorded for each software found and likely sent back to the C2:

• Avast Software
  • Avira
  • Kaspersky Lab
  • ESET
  • Panda Security
  • Doctor Web
  • AVG
  • 360TotalSecurity
  • Bitdefender
  • Norton
  • Sophos
  • Comodo

The retrieved information was gathered from the system to be encoded into the communication sent to the C2 at http://vitantgroup[.]com/xmlrpc.php. The Amadey bot then attempted to download two plugins from the C2 server:

• hxxp://vitantgroup[.]com/Plugins/cred64.dll
• hxxp://vitantgroup[.]com/Plugins/clip64.dll

Microsoft did not observe the two DLLs on the devices accessed by Secret Blizzard, but it is likely that they performed the same role as in other similar Amadey bots—to collect clipboard data and browser credentials. The need to encode the PowerShell dropper with a separate C2 URL controlled by Secret Blizzard could indicate that Secret Blizzard was not directly in control of the C2 mechanism used by the Amadey bot.

Subsequently, Microsoft observed Secret Blizzard downloading their custom reconnaissance or survey tool. This tool was selectively deployed to devices of further interest by the threat actor—for example, devices egressing from STARLINK IP addresses, a common signature of Ukrainian front-line military devices. The survey tool consisted of an executable that decrypted a batch script or cmdlets at runtime using what appears to be a custom RC4 algorithm. One of the batch scripts invoked the following command:

The batch script collected a survey of the victim device, including the directory tree, system information, active sessions, IPv4 route table, SMB shares, enabled security groups, and time settings. This information was encrypted using the same RC4 function and transmitted to the previously referenced Secret Blizzard C2 server at hxxps://citactica[.]com/wp-content/wp-login.php.

In another use of the survey tool observed by Microsoft Threat Intelligence, the executable simply decrypted the cmdlet dir “%programdata%\Microsoft\Windows Defender\Support. The %programdata%\Microsoft\Windows Defender\Support folder contains various Microsoft Defender logs, such as entries of detected malicious files.

Microsoft assesses that this cmdlet was invoked to determine if Microsoft Defender was enabled and whether previous Amadey activity had been flagged by the engine. Since several of the targeted devices observed by Microsoft had Microsoft Defender disabled during initial infection, the Secret Blizzard implants were only observed by Microsoft weeks or months after initial malware deployment.

Microsoft assesses that Secret Blizzard generally used the survey tool to determine if a victim device was of further interest, in which case it would deploy a PowerShell dropper containing the Tavdig backdoor payload (rastls.dll) and a legitimate Symantec binary with the name (kavp.exe), which is susceptible to DLL-sideloading.  The C2 configuration for Tavdig was:

• hxxps://icw2016.coachfederation[.]cz/wp-includeshttps://www.microsoft.com/images/wp/
• hxxps://hospitalvilleroy[.]com[.]br/wp-includes/fonts/icons/

On several of the victim devices, the Tavdig loader was deployed using an executable named procmap.exe, which used the Microsoft Macro Assembler (MASM) compiler (QEditor). Microsoft assesses that procmap.exe was used to compile and run malicious ASM files on victim devices within Ukraine in March 2024, which then invoked a PowerShell script that subsequently loaded the Amadey bots and the Tavdig backdoor.

Secret Blizzard then used the Tavdig backdoor—loaded into kavp.exe—to conduct further reconnaissance on the device, including user info, netstat, and installed patches. Secret Blizzard also used Tavdig to import a registry file into the registry of the victim device, which likely installed the persistence mechanism and payload for the KazuarV2 backdoor.

Figure 3. Example of how Amadey bots were used to load the Tavdig backdoor

The KazuarV2 payload was often injected into a browser process such as explorer.exe or opera.exe to facilitate command and control with compromised web servers hosting the Secret Blizzard relay and encryption module (index.php). This module facilitated encryption and onward transmission of command output and exfiltrated data from the affected device to the next-level Secret Blizzard infrastructure. 

Storm-1837 PowerShell backdoor use

Microsoft has observed Storm-1837 (overlaps with activity tracked by other security providers as Flying Yeti and UAC-0149) targeting devices belonging to the military of Ukraine since December 2023. Storm-1837 is a Russia-based threat actor that has focused on devices used by Ukrainian drone operators. Storm-1837 uses a range of PowerShell backdoors including the backdoor that the Computer Emergency Response Team of Ukraine (CERT-UA) has named Cookbox as well as an Android backdoor impersonating a legitimate system used for AI processing called “Griselda”, which according to CERT-UA is based on the Hydra Android banking malware and facilitates the collection of session data (HTTP cookies), contacts, and keylogging. In May 2024, Cloudflare detailed a Storm-1837 espionage phishing campaign against Ukrainian military devices for which Storm-1837 used both GitHub and Cloudflare for staging and C2.

In January 2024, Microsoft observed a military-related device in Ukraine compromised by a Storm-1837 backdoor configured to use the Telegram API to launch a cmdlet with credentials (supplied as parameters) for an account on the file-sharing platform Mega. The cmdlet appeared to have facilitated remote connections to the account at Mega and likely invoked the download of commands or files for launch on the target device. When the Storm-1837 PowerShell backdoor launched, Microsoft noted a PowerShell dropper deployed to the device. The dropper was very similar to the one observed during the use of Amadey bots and contained two base64 encoded files containing the previously referenced Tavdig backdoor payload (rastls.dll) and the Symantec binary (kavp.exe).

As with the Amadey bot attack chain, Secret Blizzard used the Tavdig backdoor loaded into kavp.exe to conduct initial reconnaissance on the device. Secret Blizzard then used Tavdig to import a registry file, which was used to install and provide persistence for the KazuarV2 backdoor, which was subsequently observed launching on the affected device.

Although Microsoft did not directly observe the Storm-1837 PowerShell backdoor downloading the Tavdig loader, based on the temporal proximity between the execution of the Storm-1837 backdoor and the observation of the PowerShell dropper, Microsoft assesses that it is likely that the Storm-1837 backdoor was used by Secret Blizzard to deploy the Tavdig loader.

Summary assessments

Microsoft Threat Intelligence is still investigating how Secret Blizzard gained control of the Storm-1837 backdoor or Amadey bots to download its own tools onto devices in Ukraine. It is possible, for example, that Secret Blizzard operators could have purchased the use of Amadey bots, or it may have surreptitiously commandeered a part of the Amadey attack chain.

Regardless of the means, Microsoft Threat Intelligence assesses that Secret Blizzard’s pursuit of footholds provided by or stolen from other threat actors highlights this threat actor’s prioritization of accessing military devices in Ukraine. During its operations, Secret Blizzard has used an RC4 encrypted executable to decrypt various survey cmdlets and scripts, a method Microsoft assesses Secret Blizzard is likely to use beyond the immediate campaign discussed here.

Secret Blizzard deployed tools to these (non-domain-joined) devices that are encoded for espionage against large domain-joined environments. However, this threat actor has also built new functionality into them to make them more relevant for the espionage specifically conducted against Ukrainian military devices. In addition, Microsoft assesses Secret Blizzard has likely also attempted to use these footholds to tunnel and escalate toward strategic access at the Ministry level.

When parts one and two of this blog series are taken together, it indicates that Secret Blizzard has been using footholds from third parties—either by surreptitiously stealing or purchasing access—as a specific and deliberate method to establish footholds of espionage value. Nevertheless, Microsoft assesses that while this approach has some benefits that could lead more threat adversaries to use it, it is of less use against hardened networks, where good endpoint and network defenses enable the detection of activities of multiple threat adversaries for remediation.

Mitigations

To harden networks against the Secret Blizzard activity listed above, defenders can implement the following:

Strengthen Microsoft Defender for Endpoint configuration

• Microsoft Defender XDR customers can implement attack surface reduction rules to harden an environment against techniques used by threat actors.
  • Block execution of potentially obfuscated scripts.
  • Block process creations originating from PSExec and WMI commands.
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion.
  • Block abuse of exploited vulnerable signed drivers.
  • Block Webshell creation for Servers.
• Enable network protection in Microsoft Defender for Endpoint.
• Ensure that tamper protection is enabled in Microsoft Defender for Endpoint.
• Run endpoint detection and response in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode.
• Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume.

Strengthen Microsoft Defender Antivirus configuration

• Turn on PUA protection in block mode in Microsoft Defender Antivirus.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving threat actor tools and techniques.
• Turn on Microsoft Defender Antivirus real-time protection.

Strengthen operating environment configuration

• Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. Implement PowerShell execution policies to control conditions under which PowerShell can load configuration files and run scripts.
• Turn on and monitor PowerShell module and script block logging.
• Implement PowerShell execution policies to control conditions under which PowerShell can load configuration files and run scripts.
• Turn on and monitor PowerShell module and script block logging.

Microsoft Defender XDR detections

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects this threat as the following malware:

• Trojan:Win32/Tavdig.Crypt
• Trojan:JS/Kazuar.A

Microsoft Defender Antivirus detects additional threat components that may be related as the following malware:

• Trojan:Win32/Amadey
• Trojan:MSIL/Amadey
• TrojanDownloader:Win32/Amadey

Microsoft Defender for Endpoint

The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

• Secret Blizzard Actor activity detected

Hunting queries

Microsoft Defender XDR

Surface instances of the Secret Blizzard indicators of compromise file hashes. 

let fileHashes = dynamic(["Ee8ef58f3bf0dab066eb608cb0f167b1585e166bf4730858961c192860ceffe9", 
"d26ac1a90f3b3f9e11491f789e55abe5b7d360df77c91a597e775f6db49902ea", 
"d7e528b55b2eeb6786509664a70f641f14d0c13ceec539737eef26857355536e", 
"dfdc0318f3dc5ba3f960b1f338b638cd9645856d2a2af8aa33ea0f9979a9ca4c", 
"ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f", 
"Ee8ef58f3bf0dab066eb608cb0f167b1585e166bf4730858961c192860ceffe9"]);
union
(
   DeviceFileEvents
   | where SHA256 in (fileHashes)
   | project Timestamp, FileHash = SHA256, SourceTable = "DeviceFileEvents"
),
(
   DeviceEvents
   | where SHA256 in (fileHashes)
   | project Timestamp, FileHash = SHA256, SourceTable = "DeviceEvents"
),
(
   DeviceImageLoadEvents
   | where SHA256 in (fileHashes)
   | project Timestamp, FileHash = SHA256, SourceTable = "DeviceImageLoadEvents"
),
(
   DeviceProcessEvents
   | where SHA256 in (fileHashes)
   | project Timestamp, FileHash = SHA256, SourceTable = "DeviceProcessEvents"
)
| order by Timestamp desc

Surface instances of the Secret Blizzard indicators of compromise C2s.

let domainList = dynamic(["citactica.com", "icw2016.coachfederation.cz", "hospitalvilleroy.com.br", "vitantgroup.com", "brauche-it.de", "okesense.oketheme.com", "coworkingdeamicis.com", "plagnol-charpentier.fr"]);
union
(
    DnsEvents
    | where QueryType has_any(domainList) or Name has_any(domainList)
    | project TimeGenerated, Domain = QueryType, SourceTable = "DnsEvents"
),
(
    IdentityQueryEvents
    | where QueryTarget has_any(domainList)
    | project Timestamp, Domain = QueryTarget, SourceTable = "IdentityQueryEvents"
),
(
    DeviceNetworkEvents
    | where RemoteUrl has_any(domainList)
    | project Timestamp, Domain = RemoteUrl, SourceTable = "DeviceNetworkEvents"
),
(
    DeviceNetworkInfo
    | extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks)
    | mv-expand DnsAddresses, ConnectedNetworks
    | where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList)
    | project Timestamp, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable = "DeviceNetworkInfo"
),
(
    VMConnection
    | extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames = parse_json(RemoteDnsCanonicalNames)
    | mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames
    | where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList)
    | project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable = "VMConnection"
),
(
    W3CIISLog
    | where csHost has_any(domainList) or csReferer has_any(domainList)
    | project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = "W3CIISLog"
),
(
    EmailUrlInfo
    | where UrlDomain has_any(domainList)
    | project Timestamp, Domain = UrlDomain, SourceTable = "EmailUrlInfo"
),
(
    UrlClickEvents
    | where Url has_any(domainList)
    | project Timestamp, Domain = Url, SourceTable = "UrlClickEvents"
)
| order by TimeGenerated desc

Additional hunting for likely malicious PowerShell commands queries can be found in this repository.

Look for PowerShell execution events that might involve a download. 

// Finds PowerShell execution events that could involve a download.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has "Net.WebClient"
or ProcessCommandLine has "DownloadFile"
or ProcessCommandLine has "Invoke-WebRequest"
or ProcessCommandLine has "Invoke-Shellcode"
or ProcessCommandLine has "http"
or ProcessCommandLine has "IEX"
or ProcessCommandLine has "Start-BitsTransfer"
or ProcessCommandLine has "mpcmdrun.exe"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine

Look for encoded PowerShell execution events. 

// Detect Encoded PowerShell
DeviceProcessEvents
| where ProcessCommandLine matches regex @'(\s+-((?i)encod?e?d?c?o?m?m?a?n?d?|e|en|enc|ec)\s).*([A-Za-z0-9+/]{50,}[=]{0,2})'
| extend DecodedCommand = replace(@'\x00','', base64_decode_tostring(extract("[A-Za-z0-9+/]{50,}[=]{0,2}",0 , ProcessCommandLine)))

Microsoft Sentinel

Look for encoded PowerShell. 

id: f58a7f64-acd3-4cf6-ab6d-be76130cf251
name: Detect Encoded Powershell
description: |	
This query will detect encoded Powershell based on the parameters passed during process creation. This query will also work if the PowerShell executable is renamed or tampered with since detection is based solely on a regex of the launch string.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
query: |
DeviceProcessEvents
| where ProcessCommandLine matches regex @'(\s+-((?i)encod?e?d?c?o?m?m?a?n?d?|e|en|enc|ec)\s).*([A-Za-z0-9+/]{50,}[=]{0,2})'
| extend DecodedCommand = replace(@'\x00','', base64_decode_tostring(extract("[A-Za-z0-9+/]{50,}[=]{0,2}",0 , ProcessCommandLine)))

Look for PowerShell downloads. 

id: c34d1d0e-1cf4-45d0-b628-a2cfde329182
name: PowerShell downloads
description: |
Finds PowerShell execution events that could involve a download.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
query: |
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has "Net.WebClient"
or ProcessCommandLine has "DownloadFile"
or ProcessCommandLine has "Invoke-WebRequest"
or ProcessCommandLine has "Invoke-Shellcode"
or ProcessCommandLine has "http"
or ProcessCommandLine has "IEX"
or ProcessCommandLine has "Start-BitsTransfer"
or ProcessCommandLine has "mpcmdrun.exe"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments. Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal, to get more information about this threat actor.

Microsoft Defender Threat Intelligence

• Secret Blizzard using peer and cybercriminal infrastructure to target devices in Ukraine

Indicators of compromise

References

• https://securelist.com/the-epic-turla-operation/65545/ 
• https://www.darkreading.com/endpoint-security/upgraded-kazuar-backdoor-offers-stealthy-power 
• https://cyble.com/blog/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/
• https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/
• https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/
• https://www.welivesecurity.com/2018/01/09/turlas-backdoor-laced-flash-player-installer/
• https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a
• https://attack.mitre.org/groups/G0010/
• https://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html
• https://blog.cloudflare.com/disrupting-flyingyeti-campaign-targeting-ukraine/
• https://socprime.com/blog/uac-0149-attack-detection-hackers-launch-a-targeted-attack-against-the-armed-forces-of-ukraine-as-cert-ua-reports/
• https://cert.gov.ua/article/6278620
• https://www.theregister.com/2024/05/31/crowdforce_flyingyeti_ukraine/
• https://www.zdnet.com/article/malware-authors-are-still-abusing-the-heavens-gate-technique/

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine appeared first on Microsoft Security Blog.

Legitimate hosting services, such as SharePoint, OneDrive, and Dropbox, are widely used by organizations for storing, sharing, and collaborating on files. However, the widespread use of such services also makes them attractive targets for threat actors, who exploit the trust and familiarity associated with these services to deliver malicious files and links, often avoiding detection by traditional security measures.

Importantly, Microsoft takes action against malicious users violating the Microsoft Services Agreement in how they use apps like SharePoint and OneDrive. To help protect enterprise accounts from compromise, by default both Microsoft 365 and Office 365 support multifactor authentication (MFA) and passwordless sign-in. Consumers can also go passwordless with their Microsoft account. Because security is a team sport, Microsoft also works with third parties like Dropbox to share threat intelligence and protect mutual customers and the wider community.

In this blog, we discuss the typical attack chain used in campaigns misusing file hosting services and detail the recently observed tactics, techniques, and procedures (TTPs), including the increasing use of certain defense evasion tactics. To help defenders protect their identities and data, we also share mitigation guidance to help reduce the impact of this threat, and detection details and hunting queries to locate potential misuse of file hosting services and related threat actor activities. By understanding these evolving threats and implementing the recommended mitigations, organizations can better protect themselves against these sophisticated campaigns and safeguard digital assets.

Attack overview

Phishing campaigns exploiting legitimate file hosting services have been trending throughout the last few years, especially due to the relative ease of the technique. The files are delivered through different approaches, including email and email attachments like PDFs, OneNote, and Word files, with the intent of compromising identities or devices. These campaigns are different from traditional phishing attacks because of the sophisticated defense evasion techniques used.

Since mid-April 2024, we observed threat actors increasingly use these tactics aimed at circumventing defense mechanisms:

• Files with restricted access: The files sent through the phishing emails are configured to be accessible solely to the designated recipient. This requires the recipient to be signed in to the file-sharing service—be it Dropbox, OneDrive, or SharePoint—or to re-authenticate by entering their email address along with a one-time password (OTP) received through a notification service.
• Files with view-only restrictions: To bypass analysis by email detonation systems, the files shared in these phishing attacks are set to ‘view-only’ mode, disabling the ability to download and consequently, the detection of embedded URLs within the file.

An example attack chain is provided below, depicting the updated defense evasion techniques being used across stages 4, 5, and 6:

Initial access

The attack typically begins with the compromise of a user within a trusted vendor. After compromising the trusted vendor, the threat actor hosts a file on the vendor’s file hosting service, which is then shared with a target organization. This misuse of legitimate file hosting services is particularly effective because recipients are more likely to trust emails from known vendors, allowing threat actors to bypass security measures and compromise identities. Often, users from trusted vendors are added to allow lists through policies set by the organization on Exchange Online products, enabling phishing emails to be successfully delivered.

While file names observed in these campaigns also included the recipients, the hosted files typically follow these patterns:

• Familiar topics based on existing conversations
  • For example, if the two organizations have prior interactions related to an audit, the shared files could be named “Audit Report 2024”.
• Familiar topics based on current context
  • If the attack has not originated from a trusted vendor, the threat actor often impersonates administrators or help desk or IT support personnel in the sender display name and uses a file name such as “IT Filing Support 2024”, “Forms related to Tax submission”, or “Troubleshooting guidelines”.
• Topics based on urgency
  • Another common technique observed by the threat actors creating these files is that they create a sense of urgency with the file names like “Urgent:Attention Required” and “Compromised Password Reset”.

Defense evasion techniques

Once the threat actor shares the files on the file hosting service with the intended users, the file hosting service sends the target user an automated email notification with a link to access the file securely. This email is not a phishing email but a notification for the user about the sharing action. In scenarios involving SharePoint or OneDrive, the file is shared from the user’s context, with the compromised user’s email address as the sender. However, in the Dropbox scenario, the file is shared from no-reply@dropbox[.]com. The files are shared through automated notification emails with the subject: “<User> shared <document> with you”. To evade detections, the threat actor deploys the following additional techniques:

• Only the intended recipient can access the file
  • The intended recipient needs to re-authenticate before accessing the file
  • The file is accessible only for a limited time window
• The PDF shared in the file cannot be downloaded

These techniques make detonation and analysis of the sample with the malicious link almost impossible since they are restricted.

Identity compromise

When the targeted user accesses the shared file, the user is prompted to verify their identity by providing their email address:

Next, an OTP is sent from no-reply@notify.microsoft[.]com. Once the OTP is submitted, the user is successfully authorized and can view a document, often masquerading as a preview, with a malicious link, which is another lure to make the targeted user click the “View my message” access link.

This link redirects the user to an adversary-in-the-middle (AiTM) phishing page, where the user is prompted to provide the password and complete multifactor authentication (MFA). The compromised token can then be leveraged by the threat actor to perform the second stage BEC attack and continue the campaign.

Recommended actions

Microsoft recommends the following mitigations to reduce the impact of this threat:

• Enable Conditional Access policies in Microsoft Entra, especially risk-based access policies. Conditional access policies evaluate sign-in requests using additional identity-driven signals like user or group membership, IP address location information, and device status, among others, are enforced for suspicious sign-ins. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices, Azure trusted IP address requirements, or risk-based policies with proper access control. If you are still evaluating Conditional Access, use security defaults as an initial baseline set of policies to improve identity security posture.
• Implement continuous access evaluation.
• Implement Microsoft Entra passwordless sign-in with FIDO2 security keys.
• Turn on network protection in Microsoft Defender for Endpoint to block connections to malicious domains and IP addresses.
• Implement Microsoft Defender for Endpoint – Mobile Threat Defense on mobile devices used to access enterprise assets.
• Leverage Microsoft Edge to automatically identify and block malicious websites, including those used in this phishing campaign, and Microsoft Defender for Office 365 to detect and block malicious emails, links, and files. Monitor suspicious or anomalous activities in Microsoft Entra ID Protection. Investigate sign-in attempts with suspicious characteristics (such as the location, ISP, user agent, and use of anonymizer services). Educate users about the risks of secure file sharing and emails from trusted vendors.

Appendix

Microsoft Defender XDR detections

Microsoft Defender XDR raises the following alerts by combining Microsoft Defender for Office 365 URL click and Microsoft Entra ID Protection risky sign-ins signal.

• Risky sign-in after clicking a possible AiTM phishing URL
• User compromised through session cookie hijack
• User compromised in a known AiTM phishing kit

Hunting queries

Microsoft Defender XDR 

The file sharing events related to the activity in this blog post can be audited through the CloudAppEvents telemetry. Microsoft Defender XDR customers can run the following query to find related activity in their networks: 

Automated email notifications and suspicious sign-in activity

By correlating the email from the Microsoft notification service or Dropbox automated notification service with a suspicious sign-in activity, we can identify compromises, especially from securely shared SharePoint or Dropbox files.

let usersWithSuspiciousEmails = EmailEvents
    | where SenderFromAddress in ("no-reply@notify.microsoft.com", "no-reply@dropbox.com") or InternetMessageId startswith "

Files share contents and suspicious sign-in activity

In the majority of the campaigns, the file name involves a sense of urgency or content related to finance or credential updates. By correlating the file share emails with suspicious sign-ins, compromises can be detected. (For example: Alex shared “Password Reset Mandatory.pdf” with you). Since these are observed as campaigns, validating that the same file has been shared with multiple users in the organization can support the detection.

let usersWithSuspiciousEmails = EmailEvents
    | where Subject has_all ("shared", "with you")
    | where Subject has_any ("payment", "invoice", "urgent", "mandatory", "Payoff", "Wire", "Confirmation", "password")
    | where isnotempty(RecipientObjectId)
    | summarize RecipientCount = dcount(RecipientObjectId), RecipientList = make_set(RecipientObjectId) by Subject
    | where RecipientCount >= 10
    | mv-expand RecipientList to typeof(string)
    | distinct RecipientList;
AADSignInEventsBeta
| where AccountObjectId in (usersWithSuspiciousEmails)
| where RiskLevelDuringSignIn == 100

BEC: File sharing tactics based on the file hosting service used

To initiate the file sharing activity, these campaigns commonly use certain action types depending on the file hosting service being leveraged. Below are the action types from the audit logs recorded for the file sharing events. These action types can be used to hunt for activities related to these campaigns by replacing the action type for its respective application in the queries below this table.

OneDrive or SharePoint: The following query highlights that a specific file has been shared by a user with multiple participants. Correlating this activity with suspicious sign-in attempts preceding this can help identify lateral movements and BEC attacks.

let securelinkCreated = CloudAppEvents
    | where ActionType == "SecureLinkCreated"
    | project FileCreatedTime = Timestamp, AccountObjectId, ObjectName;
let filesCreated = securelinkCreated
    | where isnotempty(ObjectName)
    | distinct tostring(ObjectName);
CloudAppEvents
| where ActionType == "AddedToSecureLink"
| where Application in ("Microsoft SharePoint Online", "Microsoft OneDrive for Business")
| extend FileShared = tostring(RawEventData.ObjectId)
| where FileShared in (filesCreated)
| extend UserSharedWith = tostring(RawEventData.TargetUserOrGroupName)
| extend TypeofUserSharedWith = RawEventData.TargetUserOrGroupType
| where TypeofUserSharedWith == "Guest"
| where isnotempty(FileShared) and isnotempty(UserSharedWith)
| join kind=inner securelinkCreated on $left.FileShared==$right.ObjectName
// Secure file created recently (in the last 1day)
| where (Timestamp - FileCreatedTime) between (1d .. 0h)
| summarize NumofUsersSharedWith = dcount(UserSharedWith) by FileShared
| where NumofUsersSharedWith >= 20

Dropbox: The following query highlights that a file hosted on Dropbox has been shared with multiple participants.

CloudAppEvents
| where ActionType in ("Added users and/or groups to shared file/folder", "Invited user to Dropbox and added them to shared file/folder")
| where Application == "Dropbox"
| where ObjectType == "File"
| extend FileShared = tostring(ObjectName)
| where isnotempty(FileShared)
| mv-expand ActivityObjects
| where ActivityObjects.Type == "Account" and ActivityObjects.Role == "To"
| extend SharedBy = AccountId
| extend UserSharedWith = tostring(ActivityObjects.Name)
| summarize dcount(UserSharedWith) by FileShared, AccountObjectId
| where dcount_UserSharedWith >= 20

Microsoft Sentinel

Microsoft Sentinel customers can use the resources below to find related activities similar to those described in this post:

The following query identifies files with specific keywords that attackers might use in this campaign that have been shared through OneDrive or SharePoint using a Secure Link and accessed by over 10 unique users. It captures crucial details like target users, client IP addresses, timestamps, and file URLs to aid in detecting potential attacks:

let OperationName = dynamic(['SecureLinkCreated', 'AddedToSecureLink']);
OfficeActivity
| where Operation in (OperationName)
| where OfficeWorkload in ('OneDrive', 'SharePoint')
| where SourceFileName has_any ("payment", "invoice", "urgent", "mandatory", "Payoff", "Wire", "Confirmation", "password", "paycheck", "bank statement", "bank details", "closing", "funds", "bank account", "account details", "remittance", "deposit", "Reset")
| summarize CountOfShares = dcount(TargetUserOrGroupName), 
            make_list(TargetUserOrGroupName), 
            make_list(ClientIP), 
            make_list(TimeGenerated), 
            make_list(SourceRelativeUrl) by SourceFileName, OfficeWorkload
| where CountOfShares > 10

Considering that the attacker compromises users through AiTM,  possible AiTM phishing attempts can be detected through the below rule:

• Possible AiTM Phishing Attempt

In addition, customers can also use the following identity-focused queries to detect and investigate anomalous sign-in events that may be indicative of a compromised user identity being accessed by a threat actor:

• Signins From VPS Providers
• Signins from Nord VPN Providers
• Successful Signin From Non-Compliant Device

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post File hosting services misused for identity phishing appeared first on Microsoft Security Blog.