Microsoft identifies Storm-0539 threat in gift card fraud

Microsoft recently warned about the increase in malicious activity conducted by Storm-0539, a new cyber threat group. Over the holidays, this cluster ran elaborate scams using email and SMS phishing, targeting retailers with malicious links leading to phishing pages capable of intercepting user credentials and session tokens.

Sophisticated strategies go beyond MFA protection

The Storm-0539, after obtaining the first access credentials, manages to register its devices for secondary authentication requests, evading Multi-Factor Authentication (MFA) protection and maintaining persistent access by exploiting the compromised identity. The foothold gained by Storm-0539 becomes a means to elevate privileges, move laterally across the network, and access cloud resources with the intent of procuring sensitive information, focusing on gift card services to perpetrate fraud.

Intelligence pills on Storm-0539 from Microsoft

Microsoft, in its monthly Microsoft 365 Defender report, found that Storm-0539 is a group driven by financial motivations, active since at least 2021. This actor conducts in-depth reconnaissance activities on target organizations to develop sophisticated phishing scams, aimed at credential theft and on first login.

Prevention and security measures against the abuse of OAuth applications

Even before this alert, Microsoft had obtained an injunction to intercept the infrastructure of the Vietnamese cybercriminal group called Storm-1152, which had sold access to approximately 750 million fraudulent Microsoft accounts. This week, the company also highlighted the abuse of OAuth applications by various cyber actors to carry out automated financial crimes, such as compromise of corporate emails, phishing, large-scale spamming, and the illicit use of virtual machines for cryptocurrency mining.