Hackers Abuse Compromised M365 Accounts to Scale CodeStorm Phishing Operations
ID: d2e9901e-e7fe-5bf7-82d6-e6fad4a104f5
STIX ID: report--d2e9901e-e7fe-5bf7-82d6-e6fad4a104f5
Feed Name: Security Boulevard
Attackers are abusing compromised Microsoft 365 accounts to scale a voicemail-themed phishing campaign named CodeStorm. The kit sends phishing emails from legitimate M365 accounts (bypassing SPF/DKIM/DMARC trust), appends dummy email threads to evade scanners, and performs tenant-aware real-time credential replay against Microsoft’s live identity infrastructure to support multiple MFA bypass workflows. Landing pages use Cloudflare Turnstile and anti-automation checks; successful interactions generate genuine Entra sign-in failures and can lead to inbox rules, OAuth grants, and account takeover. Defenders are advised to correlate email and identity telemetry, hunt for Entra sign-in failures shortly after clicks, and monitor post-compromise mailbox and OAuth activity.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
