FlagThis

A new Microsoft 365 phishing-as-a-service platform called ‘FlowerStorm’ has emerged, filling the gap left by the shutdown of the Rockstar2FA cybercrime service. FlowerStorm is a sophisticated service which allows threat actors to create and deploy phishing campaigns specifically targeting Microsoft 365 accounts. This activity shows a clear increase in targeted phishing campaigns aimed at Microsoft users, which could lead to account compromise, data breaches and other associated risks. The sophisticated platform allows threat actors to automate much of the phishing process, increasing their efficiency and reach. This demonstrates the ease with which cybercriminals can set up and deploy complex phishing schemes.

Microsoft’s new AI feature ‘Recall’ for Copilot+ PCs stores screenshots of sensitive data, including credit cards and social security numbers, even when a ‘sensitive information’ filter is enabled. This has raised serious privacy and security concerns among users. This feature takes continuous screenshots of everything a user does. The data is stored locally but sent off to Microsoft’s LLM for analysis. This has prompted an investigation by the UK Information Commissioner’s Office. This incident highlights the potential risks of AI-powered surveillance features and the importance of user privacy.

Oasis Security researchers discovered a critical vulnerability in Microsoft’s Azure Multi-Factor Authentication (MFA) that allows attackers to bypass it, gaining unauthorized access to user accounts across various Microsoft services. This bypass affects Outlook emails, OneDrive files, Teams chats, and Azure Cloud resources. This vulnerability does not have a CVE ID, highlighting the need for immediate patching. The attack exploits a flaw in the authentication process, allowing for complete account takeover without needing valid MFA credentials.

A sophisticated cyber espionage campaign, dubbed ‘Operation Digital Eye,’ targeted business-to-business IT service providers in Southern Europe. Attackers leveraged Visual Studio Code Tunnels and Azure infrastructure for command and control, exploiting the tunnels for stealthy remote access. The campaign lasted approximately three weeks, from late June to mid-July 2024.

The Russian state-sponsored group Secret Blizzard has been found to have hijacked the infrastructure of other hacking groups for its operations, with a recent campaign targeting the Pakistan-based espionage cluster Storm-0156 (also known as SideCopy, Transparent Tribe, or APT36). Secret Blizzard’s actions involved installing backdoors, collecting intelligence, and compromising target devices in regions like South Asia and Ukraine. This sophisticated espionage operation highlights the increasing complexity of cyber threats and the ability of nation-state actors to leverage the resources of other groups for their malicious activities.

A critical zero-day vulnerability impacting all supported Windows versions (7-11 and Server 2008 R2-2022) allows attackers to capture NTLM credentials by simply having a user view a malicious file in Windows Explorer. This vulnerability highlights the ongoing risk posed by zero-day exploits and the importance of robust security patches and awareness programs. The vulnerability’s simple exploit method underlines the necessity for strong security practices and endpoint protection.

This cluster focuses on the emergence of a new phishing-as-a-service (PhaaS) platform called ‘Rockstar 2FA’. It facilitates large-scale adversary-in-the-middle (AiTM) attacks, primarily targeting Microsoft 365 credentials. This highlights the ongoing threat of credential theft and the increasing sophistication of phishing attacks, emphasizing the importance of robust multi-factor authentication (MFA) and security awareness training.

This news cluster focuses on the security implications of Microsoft’s shift towards a subscription-based operating model for PCs, exemplified by their Windows 365 Link. This thin client relies on Azure cloud services, raising concerns regarding data security and privacy. The reliance on cloud services centralizes access points which could create a single point of failure vulnerable to large-scale attacks.

This cluster discusses the arrest of Mikhail Pavlovich Matveev, aka Wazawaka, a notorious ransomware programmer, in Russia. He is known for developing malware and having ties to various hacking groups. This arrest is significant due to his involvement in ransomware attacks. The severity of his crimes and the potential impact of his arrest on the ransomware ecosystem are still emerging.

Microsoft will enforce mandatory multi-factor authentication (MFA) for the Microsoft 365 admin center starting February 2025. All logins must pass an MFA challenge to enhance account security and prevent unauthorized access. This is a significant security enhancement aimed at mitigating the risk of account hijacking. The enforcement of MFA is a crucial step in bolstering the security posture of Microsoft 365 environments. It addresses the growing threat of credential theft and unauthorized access to sensitive administrative functions. By requiring MFA, Microsoft significantly raises the bar for attackers, making it harder for them to gain control of admin accounts.

Attackers are leveraging adversary-in-the-middle (AiTM) attacks to gain unauthorized access to Microsoft networks. This advanced form of business email compromise (BEC) targets user credentials and authentication tokens to bypass multi-factor authentication (MFA). AiTM attacks occur when an attacker intercepts communication between a user and a legitimate service, allowing them to steal credentials and access sensitive information. Once inside, attackers can impersonate legitimate users, access email conversations and documents in the cloud, and divert specific emails. Preventing these attacks requires a layered approach including security defaults, conditional access policies, advanced anti-phishing solutions, and constant monitoring for suspicious activity. Detecting and cleaning up after AiTM attacks requires reviewing logs, interviewing users, and disabling compromised accounts.

A sophisticated phishing campaign has compromised approximately 20,000 Microsoft Azure accounts in Europe, primarily targeting manufacturing companies. The attackers used HubSpot’s Free Form Builder to create deceptive forms and DocuSign files, which were used in phishing emails to steal Microsoft Azure login credentials. This operation spanned from June to September 2024 and mainly affected firms in the automotive, chemical, and industrial sectors in Germany and the UK. The attackers aimed for long-term presence in the Azure cloud environments.

Earth Koshchei, also known as APT29 and Midnight Blizzard, is leveraging red team tools and techniques to compromise RDP servers. The attack methodology involves a combination of an RDP relay, rogue RDP servers and malicious RDP configuration files, redirecting traffic through VPNs, TOR and residential proxies, making detection and mitigation difficult. This sophisticated campaign targets governments, armed forces, think tanks, academic researchers, and Ukrainian entities, leading to potential data leakage and malware installation. The APT group uses spear-phishing emails containing malicious RDP configuration files that redirect traffic to 193 RDP relays.