FlagThis

Two ransomware groups, tracked as STAC5143 and STAC5777, are actively exploiting Microsoft 365 services and default settings to gain access to internal enterprise users. These groups are using their own Microsoft 365 tenants to target organizations, underscoring significant security risks. These attacks highlight the need for enhanced security measures on Microsoft 365 platform to defend against ransomware.

Microsoft has addressed multiple issues with its software. A bug was fixed that caused Windows Server 2022 systems with two or more NUMA nodes to fail to start up, requiring an out-of-band update KB5052819. Additionally, Microsoft resolved problems that were causing Microsoft 365 apps and Classic Outlook to crash on Windows Server 2016 and 2019 systems, which was caused by a recent Office update integrating the React Native framework. These fixes aim to restore stability and functionality to affected systems.

A new ‘Sneaky 2FA’ phishing kit is targeting Microsoft 365 accounts, using a sophisticated Adversary-in-the-Middle technique to bypass 2FA. This kit utilizes compromised WordPress sites and other domains to host phishing pages, collecting credentials and 2FA codes. The kit has been linked to the W3LL Panel OV6 phishing kit, indicating a larger threat landscape for Microsoft 365 users. The phishing method is capable of intercepting user credentials and session cookies.

Hackers are utilizing the FastHTTP library in Go to perform high-speed brute-force password attacks against Microsoft 365 accounts globally. The attacks are characterized by generating a large volume of HTTP requests, focusing on Azure Active Directory endpoints. This technique demonstrates how high-performance libraries can be exploited to conduct rapid credential-based attacks.

Microsoft has released an update for Windows Server 2022 to address boot issues that may occur on systems with two or more NUMA nodes. The update, KB5052819, resolves a problem that prevented systems from booting correctly. Additionally, Microsoft confirmed issues with the SgrmBroker service after the January 2025 update, affecting Windows 10 and Server 2022 systems. An out-of-band update was released to fix these issues.

A sophisticated phishing campaign is exploiting Microsoft 365 to target PayPal users. Attackers register free Microsoft 365 test domains to create distribution lists for sending authentic-looking PayPal money requests. This method bypasses traditional email protections, increasing the scam’s success rate. The technique leverages genuine PayPal features to deceive victims into revealing their credentials. This is not a new vulnerability, but it is a new use of the legitimate feature.

A new Microsoft 365 phishing-as-a-service platform called ‘FlowerStorm’ has emerged, filling the gap left by the shutdown of the Rockstar2FA cybercrime service. FlowerStorm is a sophisticated service which allows threat actors to create and deploy phishing campaigns specifically targeting Microsoft 365 accounts. This activity shows a clear increase in targeted phishing campaigns aimed at Microsoft users, which could lead to account compromise, data breaches and other associated risks. The sophisticated platform allows threat actors to automate much of the phishing process, increasing their efficiency and reach. This demonstrates the ease with which cybercriminals can set up and deploy complex phishing schemes.

This cluster focuses on the emergence of a new phishing-as-a-service (PhaaS) platform called ‘Rockstar 2FA’. It facilitates large-scale adversary-in-the-middle (AiTM) attacks, primarily targeting Microsoft 365 credentials. This highlights the ongoing threat of credential theft and the increasing sophistication of phishing attacks, emphasizing the importance of robust multi-factor authentication (MFA) and security awareness training.

This news cluster focuses on the security implications of Microsoft’s shift towards a subscription-based operating model for PCs, exemplified by their Windows 365 Link. This thin client relies on Azure cloud services, raising concerns regarding data security and privacy. The reliance on cloud services centralizes access points which could create a single point of failure vulnerable to large-scale attacks.

Microsoft will enforce mandatory multi-factor authentication (MFA) for the Microsoft 365 admin center starting February 2025. All logins must pass an MFA challenge to enhance account security and prevent unauthorized access. This is a significant security enhancement aimed at mitigating the risk of account hijacking. The enforcement of MFA is a crucial step in bolstering the security posture of Microsoft 365 environments. It addresses the growing threat of credential theft and unauthorized access to sensitive administrative functions. By requiring MFA, Microsoft significantly raises the bar for attackers, making it harder for them to gain control of admin accounts.