A new Microsoft 365 phishing service has emerged, so be on the lookout
- Researchers said Rockstar2FA went silent in November 2024
- But shortly afterwards a new PaaS emerged, with partly overlapping infrastructure
- The new PaaS is called FlowerStorm and focuses on Microsoft365 accounts
Cybersecurity researchers from Sophos have warned that a new Phishing-as-a-Service (PaaS) tool has emerged, making it easy for threat actors to prey on people’s Microsoft 365 credentials.
This tool is called FlowerStorm and could have evolved from the (defunct) Rockstar2FA, the company revealed, noting that in November, detections for Rockstar2FA had “suddenly gone silent.”
The organization’s infrastructure was taken offline, at least in part, for unknown reasons, but investigators do not believe this was the work of law enforcement.
Long live Flowerstorm?
Rockstar2FA was a PaaS platform designed to bypass two-factor authentication (2FA) and focused primarily on Microsoft 365 accounts. It worked by intercepting login processes to steal session cookies, allowing attackers to access accounts without needing login credentials or verification codes. Through a simple interface and Telegram integration, threat actors who purchased a license could manage their campaigns in real time.
The researchers named the new platform, which emerged in the weeks after Rockstar2FA shut down, the name FlowerStorm. Apparently many of the tools and features overlap with those of Rockstar2FA, which is why Sophos speculates that it could be its (spiritual) successor.
The vast majority of FlowerStorm users’ chosen audiences (84%) are in the United States, Canada, Great Britain, Australia and Italy, according to Sophos.
Companies in the United States were targeted most often (60%), followed by Canada (8.96%). Overall, almost all (94%) of FlowerStorm targets were in North America or Europe, with the remainder in Singapore, India, Israel, New Zealand and the United Arab Emirates.
The majority of victims are in the service sector, namely companies providing engineering, construction, real estate, legal services and consulting.
Defending against FlowerStorm is the same as against any other phishing attack: use common sense and be careful with incoming emails.