Threat Cluster:
Microsoft warns of Storm-0539, an emerging threat cluster.
Target:
Retail entities facing highly sophisticated phishing during the holiday season.
Attack Method:
Propagating booby-trapped links, directing victims to phishing pages.
Objective:
Harvesting credentials and session tokens, facilitating gift card fraud.
Tactics:
Bypassing MFA, escalating privileges, moving laterally, accessing cloud resources.
Persistence:
Registers own device for subsequent authentication prompts.
Reconnaissance:
Conducts extensive reconnaissance for crafting convincing phishing lures.
Motivation:
Financially motivated group active since at least 2021.
Post-Compromise:
Well-versed in cloud providers, leveraging target's cloud services.
Microsoft Action:
Obtained court order to seize Storm-1152 infrastructure, warned about OAuth abuse in cyber crimes.