Microsoft Exposes Credential Theft Phishing Targeting 35K Users in 26 Countries

Microsoft’s Threat Intelligence Center (MSTIC) has released details of a large‑scale credential‑harvesting operation that successfully targeted roughly 35,000 users in 26 countries. The campaign leveraged email lures themed around corporate code‑of‑conduct policies, disguising malicious messages as compliance notifications from trusted organizations. By sending the mails through legitimate email services such as Gmail and Outlook, the attackers evaded many spam filters and increased the likelihood that recipients would trust the content.

The phishing kit employed in the attack mimicked the login pages of popular productivity platforms, including Microsoft 365, Google Workspace, and LinkedIn. These fraudulent pages were hosted on compromised legitimate domains and used open‑redirect tricks to obscure the final destination. Subdomains were registered with reputable cloud‑hosting providers, and the exfiltration of harvested credentials occurred over encrypted HTTPS connections. The threat actors also leveraged dynamic DNS for command‑and‑control communications, allowing them to rapidly rotate infrastructure and avoid blacklisting.

MSTIC attributes the campaign to the financially motivated threat group tracked as Storm‑0539, known for credential theft and subsequent fraud schemes. The targeting focused on finance, healthcare, and technology sectors, with the highest activity recorded between Q3 and Q4 2023. The group’s ability to blend legitimate services with malicious infrastructure underscores the challenge defenders face when differentiating genuine corporate communications from phishing attempts.

Microsoft recommends several mitigations: enforcing multi‑factor authentication (MFA) with hardware security keys, blocking known malicious domains and subdomains, and monitoring for anomalous login patterns indicative of credential stuffing. The company has updated Defender for Office 365 to detect the specific code‑of‑conduct themed lures and malicious URLs associated with this campaign. Indicators of compromise (IOCs) have been shared with the broader security community to help organizations identify and block the attack vectors.