CodeStorm Phishing Campaign Targeting Microsoft 365: An In-Depth Analysis
A significant multi-organization phishing campaign, attributed to the notorious CodeStorm group, is actively targeting users of Microsoft 365. This campaign utilizes an adversary-in-the-middle (AiTM) phishing kit that employs a sophisticated tenant-aware mechanism, further complicating the situation for cybersecurity defenders. The phishing kit is noted for its rotating frontends and back-end replay behavior, functioning under a consistent controller path: /google.php.
One of the more insidious tactics employed by CodeStorm is what is referred to as "conversation stuffing." While many human recipients of phishing emails do not scroll through the entire content, automated secure email gateways tend to do so. The kit cleverly incorporates a large, irrelevant historical conversation below a block of whitespace, a maneuver that effectively misclassifies the phishing attempt as a low-risk thread hijack instead of an outright phishing lure. This misclassification results in lowered detection scores, facilitating greater success for attackers.
In terms of technical architecture, the phishing kit separates scale from the protocol. It utilizes multiple top-level domains (TLDs) and randomized hosts for frontend domains, strategically encoding victim identities in query parameters or URL fragments. This clever use of fragments helps conceal activity from server-side logs and various telemetry systems, complicating detection efforts, especially if defenders rely too heavily on singular parameter patterns.
According to a report by cybersecurity analysts at ZeroBEC, the CodeStorm campaign has also been observed using voicemail-themed email lures. These emails not only mislead recipients but also incorporate historical threads to create an illusory sense of legitimacy. When targets interact with the phishing email, they are led to an initial obfuscated HTML page that enforces a Cloudflare Turnstile challenge. This page actively blocks analysis tools and implements a debugger timing trap designed to redirect any inquisitive analysts to a legitimate Microsoft encryption URL if the page is under scrutiny.
After bypassing this initial layer of deception, the victim is directed to a second-stage bootstrapper, denoted as bootstrappp.min.js, which is hosted on a third-party object storage service. This stage consistently points to the same back-end controller identified at /google.php. The operational process revealed by static and runtime analyses provides a compact action contract that comprises several critical stages: checking identity, logging in to submit credentials, verifying identity to trigger multi-factor authentication (MFA) workflows, and relaying MFA codes back to the attackers.
Importantly, the do=check function imitates Microsoft’s home-realm discovery, returning routing information tailored to the victim’s identity configuration—such as managed M365 accounts or federated tenants. This targeted approach presents a unique challenge, as the phishing user interface is adeptly customized to align with the victim’s genuine identity credentials, avoiding the stereotypical one-size-fits-all fake login pages of previous phishing attempts.
The manipulative architecture relies heavily on controlled telemetry, which actively replays stolen credentials against Microsoft systems rather than merely capturing them. Test scenarios managed by ZeroBEC demonstrated that credentials submitted via the phishing interface resulted in typical Microsoft error responses, quickly reflected in the victim tenant’s Entra logs.
In terms of defensive measures, organizations must transition their detection strategies from a focus solely on static domain monitoring to an emphasis on protocol-level indicators. Key factors to investigate include cross-site POST requests to /google.php containing specific commands, the presence of Cloudflare Turnstile on landing pages, and JavaScript patterns designed to evade detection, such as debugger timing traps. Security teams should also be vigilant in correlating phishing-click events with unusual OfficeHome sign-in failures or atypical geographic prompts for MFA.
Given the sophistication and targeted nature of this campaign, public analysis remains crucial. Important context can be derived from other reports on CodeStorm, Microsoft’s Tycoon2FA research, and various analyses from cybersecurity firms such as Sekoia and Darktrace. Contextual mapping of the attack vectors can aid in enhancing the defensive posture against such well-orchestrated phishing endeavors.
This detailed understanding of the CodeStorm phishing campaign highlights the evolving landscape of cyber threats, necessitating ongoing education and vigilance among users and organizations alike. Cybersecurity is an ever-changing field, and as attackers refine their techniques, defenders must adapt to keep pace.