A new Microsoft 365 phishing service has emerged, so be on your guard
- Researchers said that Rockstar2FA went quiet in November 2024
- But a new PaaS emerged soon afterwards, with partly overlapping infrastructure
- The new PaaS is called FlowerStorm, and it targets Microsoft365 accounts
Cybersecurity researchers from Sophos have warned a new Phishing-as-a-Service (PaaS) tool has emerged, allowing threat actors to easily hunt for people’s Microsoft 365 credentials.
This tool is called FlowerStorm, and it might have emerged from the (defunct) Rockstar2FA, the company revealed, noting how in November, detections for Rockstar2FA have “suddenly gone quiet”.
The organization’s infrastructure was taken offline, at least partly, for reasons yet unknown – but the researchers don’t think this was the work of law enforcement, though.
Long live FlowerStorm?
Rockstar2FA was a PaaS platform designed to bypass two-factor authentication (2FA), primarily targeting Microsoft 365 accounts. It worked by intercepting login processes to steal session cookies, allowing attackers to access accounts without needing credentials or verification codes. Through a simple interface and Telegram integration, threat actors that purchased a license could manage their campaigns in real time.
The new platform, which emerged in the weeks after Rockstar2FA went quiet, was dubbed FlowerStorm by the researchers. Apparently, much of its tools and features overlap with that of Rockstar2FA, which is why Sophos speculates that it could be its (spiritual) successor.
The vast majority of the targets chosen by FlowerStorm users (84%) are located in the United States, Canada, United Kingdom, Australia, and Italy, Sophos added.
Companies in the States were most frequently targeted (60%), followed by Canada (8.96%). Overall, almost all (94%) of FlowerStorm targets were either in North America or Europe, with the rest falling on Singapore, India, Israel, New Zealand, and the United Arab Emirates.
The majority of the victims are in the service industry, namely firms providing engineering, construction, real estate, and legal services and consulting.
Defending against FlowerStorm is the same as against any other phishing attack – using common sense and being careful with incoming emails.
You might also like
Researchers said that Rockstar2FA went quiet in November 2024 But a new PaaS emerged soon afterwards, with partly overlapping infrastructure The new PaaS is called FlowerStorm, and it targets Microsoft365 accounts Cybersecurity researchers from Sophos have warned a new Phishing-as-a-Service (PaaS) tool has emerged, allowing threat actors to easily hunt…
