logo

Hackers Abuse Compromised M365 Accounts to Scale CodeStorm Phishing Operations

ID: d2e9901e-e7fe-5bf7-82d6-e6fad4a104f5

STIX ID: report--d2e9901e-e7fe-5bf7-82d6-e6fad4a104f5

Feed Name: Security Boulevard

Threat Score
72/100

Date Published: 2026-06-23

Date Updated: 2026-06-23

Author: John Kevin Hao

...
...

Attackers are abusing compromised Microsoft 365 accounts to scale a voicemail-themed phishing campaign named CodeStorm. The kit sends phishing emails from legitimate M365 accounts (bypassing SPF/DKIM/DMARC trust), appends dummy email threads to evade scanners, and performs tenant-aware real-time credential replay against Microsoft’s live identity infrastructure to support multiple MFA bypass workflows. Landing pages use Cloudflare Turnstile and anti-automation checks; successful interactions generate genuine Entra sign-in failures and can lead to inbox rules, OAuth grants, and account takeover. Defenders are advised to correlate email and identity telemetry, hunt for Entra sign-in failures shortly after clicks, and monitor post-compromise mailbox and OAuth activity.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.