HQ/EMEAFind out how we can help your business
A rising cyber threat known as Storm-0539 poses a significant risk to consumers and retailers, especially during this holiday season. This emerging threat campaign specialises in executing gift card fraud and theft through highly sophisticated email and SMS phishing attacks. Microsoft has tracked Storm-0539 for a while and shed light on the severity of the threat.
Based on reports, the primary objective of Storm-0539 is to distribute malicious links that lure unsuspecting victims into adversary-in-the-middle phishing pages. These pages could harvest sensitive information, including credentials and session tokens.
Once the campaign operators obtain initial access, they can execute the next step of their attack by registering the compromised device for secondary authentication, bypassing Multi-Factor Authentication (MFA) protections. Using a fully compromised identity, this technique allows the attackers to establish persistence in the infected environment.
Storm-0539 uses the established persistence to escalate their privileges.
The presence of Storm-0539 on a compromised device could provide them with escalated privileges within the network. In addition, the campaign could move laterally on the system, accessing cloud resources and targeting gift card-related services to execute fraud.
Furthermore, Storm-0539 engages in extensive reconnaissance of its targets, harvesting emails, contact lists, and network configurations for subsequent attacks. This campaign shows the importance of robust credential hygiene practices for organisations to avoid such malicious activities.
The group has been active since at least 2021. This threat actor is a financially motivated group that is an expert in cloud providers, leveraging resources from the target organisation’s cloud services for post-compromise activities.
This malicious operation follows Microsoft’s recent legal action against a Vietnamese cybercriminal group, Storm-1152, which recently sold access to approximately 750 million fraudulent Microsoft accounts and identity verification bypass tools.
Microsoft also highlighted the broader trend of threat actors that leverage OAuth applications to automate financially motivated cybercriminal operations, including business email compromise (BEC), phishing, large-scale spamming campaigns, and illicit cryptomining using virtual machines.
As the holiday shopping season approaches, this Storm-0539 campaign should remind individuals and organisations to remain and employ robust cybersecurity measures to protect assets and data against evolving threats.
