Posted in

CodeStorm Phishing Campaign Exploits Compromised Microsoft 365 Accounts

by Rakesh0

A sophisticated CodeStorm phishing attack is redefining how adversaries exploit trust in cloud ecosystems. Security researchers have uncovered a campaign abusing compromised Microsoft 365 (M365) accounts to launch highly convincing phishing operations at scale.

Instead of relying on newly registered domains or spoofed infrastructure, attackers are leveraging legitimate M365 identities as trusted senders. This tactic allows phishing emails to slip past traditional email defenses, dramatically increasing the likelihood of user interaction and credential compromise.

Key Details

The campaign begins with a carefully crafted voicemail notification email that closely mimics legitimate Microsoft communications. The message includes realistic elements such as call duration, reference IDs, and a branded “OPEN VOICEMAIL PORTAL” button.

However, the real innovation lies beneath the surface. Attackers append a large block of hidden, unrelated email thread content to the message. This technique manipulates secure email gateways and AI-based filters into classifying the email as part of an ongoing business conversation rather than a phishing attempt.

Threat intelligence firm ZeroBEC identified a major evolution in the CodeStorm toolkit: tenant-aware Microsoft 365 credential replay. This capability enables attackers not only to harvest credentials but also to validate them in real time against Microsoft Entra ID infrastructure.

Technical Analysis

The CodeStorm phishing framework demonstrates a layered, evasive design that blends social engineering with cloud-native attack techniques.

Multi-Stage Phishing Workflow

Once a victim clicks the phishing link, they are redirected to a landing page protected by a Cloudflare Turnstile challenge, effectively blocking automated security scanners.

The page employs additional anti-analysis defenses, including:

  • Detection of browser developer tools
  • Timing analysis of debugger execution
  • Identification of automation frameworks

If suspicious behavior is detected, users are redirected to legitimate Microsoft domains, masking malicious intent.

Credential Replay and MFA Abuse

A key differentiator of this campaign is its real-time credential replay mechanism:

  • Stolen credentials are immediately submitted to Microsoft Entra ID
  • The system mimics legitimate login flows, triggering real authentication events
  • This includes support for MFA methods such as push notifications, SMS OTPs, voice calls, and recovery codes

In many cases, failed login attempts generate legitimate Entra error codes like 50126, making them indistinguishable from genuine user errors in logs.

Infrastructure and Communication Flow

The backend infrastructure uses a modular design with specific actions:

  • do=check → identity discovery
  • do=login → credential submission
  • do=verify → MFA triggering

While frontend phishing domains rotate frequently, the backend remains stable via the /google.php endpoint. Attackers also abuse trusted redirect services such as Google and AWS to evade URL filtering.

Email Authentication Abuse

Because emails originate from compromised M365 accounts, they pass authentication protocols:

  • SPF (Sender Policy Framework)
  • DKIM (DomainKeys Identified Mail)
  • DMARC (Domain-based Message Authentication)

This gives phishing emails a high degree of legitimacy and inbox placement success.

Impact and Risks

The implications of the CodeStorm campaign are significant, particularly for enterprises heavily reliant on Microsoft 365.

Key Risks Include:

  • Credential compromise leading to account takeover
  • MFA fatigue or bypass through repeated authentication prompts
  • Unauthorized access to sensitive data in email and cloud storage
  • Lateral movement within enterprise environments
  • Persistent access through OAuth grants and mailbox rules

Additionally, replay attempts originating from attacker-controlled infrastructure may appear as legitimate login failures from unfamiliar geographic locations, complicating incident response efforts.

Expert Recommendations

Defending against this advanced phishing campaign requires a multi-layered strategy.

Email Security Enhancements

  • Monitor for anomalies where From, To, and Return-Path headers match
  • Detect hidden content or abnormal email thread injections
  • Deploy advanced phishing detection with behavioral analysis

Identity and Access Monitoring

  • Track Entra ID logs for repeated error code 50126 failures
  • Correlate login attempts with phishing click events
  • Identify unusual sign-ins from foreign IP addresses

Network and Endpoint Detection

  • Flag suspicious POST requests to endpoints like /google.php
  • Monitor abnormal traffic patterns linked to phishing kits
  • Inspect payloads like obfuscated JavaScript (e.g., bootstrappp.min.js)

Strengthening MFA and User Awareness

  • Implement phishing-resistant authentication methods (FIDO2, passkeys)
  • Educate users about voicemail phishing lures
  • Limit MFA fatigue by enabling conditional access policies

Industry Context

The CodeStorm campaign reflects a broader evolution in phishing tactics toward identity-centric attacks. As organizations strengthen perimeter defenses, attackers are shifting focus to exploiting trusted identities and cloud authentication workflows.

This trend mirrors the rise of:

  • Business Email Compromise (BEC) campaigns using legitimate accounts
  • Adversary-in-the-middle (AiTM) phishing kits targeting session tokens
  • Cloud-native attack techniques leveraging APIs and identity infrastructure

The use of real accounts combined with anti-detection mechanisms and credential replay represents a new generation of phishing operations designed to outpace conventional defenses.

Conclusion

The CodeStorm phishing attack highlights a critical shift in cyber threats—one that prioritizes trust abuse over infrastructure deception. By weaponizing legitimate Microsoft 365 accounts and integrating real-time credential replay, attackers have significantly raised the bar for phishing sophistication.

Organizations must move beyond traditional filtering and adopt identity-focused detection strategies to stay ahead. In this evolving threat landscape, visibility into authentication behavior and user activity is no longer optional—it is essential.

FAQ SECTION

What is the CodeStorm phishing attack?

CodeStorm is an advanced phishing campaign that uses compromised Microsoft 365 accounts and credential replay techniques to steal user credentials and bypass traditional defenses.

How does CodeStorm bypass email security?

It sends emails from legitimate M365 accounts and inserts hidden email threads, making messages appear trustworthy and reducing detection by spam filters.

What is credential replay in phishing attacks?

Credential replay involves submitting stolen login credentials in real time to authenticate against legitimate services, helping attackers validate and exploit accounts instantly.

What is Entra ID error code 50126?

Error code 50126 indicates a failed login attempt in Microsoft Entra ID, often seen when attackers test stolen credentials during replay attacks.

How can organizations defend against CodeStorm phishing?

Use advanced email filtering, monitor Entra login anomalies, implement phishing-resistant MFA, and correlate phishing events with authentication logs.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *