Exposing a Sophisticated Microsoft-Themed Phishing Campaign by Storm-1575

Phishing attacks have become increasingly sophisticated, and the Storm-1575 threat actor group is no exception. Recently, I uncovered a highly convincing Microsoft-themed phishing email designed to lure unsuspecting victims into entering their login credentials. By mimicking an official Microsoft login page, this advanced phishing campaign attempts to bypass Multi-Factor Authentication (MFA) and infiltrate user accounts undetected.

Below, you’ll find a detailed video analysis that walks through every stage of this phishing attack, including extracting Indicators of Compromise (IOCs), testing them against Cisco Talos, VirusTotal, and other security intelligence tools. This examination reveals how advanced attackers evade real-time detection and highlights the importance of continuous threat intelligence monitoring.

Watch the Full Phishing Analysis

Detailed Indicators of Compromise (IOCs)

By analyzing the email payloads, domains, and IP addresses, we’ve identified the following IOCs associated with this Microsoft-themed phishing campaign.

• Malicious Domains & URLs:

  • radiosertanejabrasil.com.br
  • xg0zhsx51zgjsx6afdo0kbhyk4lsoellcallerleftvmaudiomsg.wapmight.net
  • wapmight.net
  • 942547373.businesslawdoc.com
  • businesslawdoc.com
  • https://xg0zhsx51zgjsx6afdo0kbhyk4lsoellcallerleftvmaudiomsg.wapmight.net/fIa2W?e=
  • https://942547373.businesslawdoc.com/next.php

• Associated IP Addresses:

  • 172.82.129.154
  • 69.49.230.198

• Malware Hash & Suspicious File:

  • Hash: d56122bd9a3f27869962716f8747af4fd517ec1ab8e7e070900c0e795b171d36
  • File: Caller left VM MSG 00_01_20 DURATION-c368a0ec71d3982c8e6955b2eff5a50a.eml

VirusTotal Collection

https://www.virustotal.com/gui/collection/905eba0d0c78902249c22bfc4f067ccc8b27a8e4d4ff6d26298cd31c7ba0d9b7/iocs

This curated VirusTotal collection provides a centralized view of the malicious files, domains, and other IOCs uncovered during this investigation. By reviewing these artifacts, security teams and researchers can better understand the threat landscape and take proactive steps to defend against future attacks.

Key Takeaways for Improving Cybersecurity

• Enable Advanced Threat Protection: Traditional antivirus solutions may not detect every phishing attempt. Consider implementing AI-driven tools and behavior-based detection.
• Employee Security Training: Regularly educate staff on how to identify suspicious emails, including checking domains, verifying sources, and using secure authentication methods.
• Constant Threat Intelligence Monitoring: Stay informed about emerging threat actors like Storm-1575 and regularly consult threat intelligence feeds for the latest indicators and patterns.

Conclusion

The Storm-1575 phishing campaign is a prime example of how threat actors continue to refine their tactics. By closely analyzing IOCs, testing defenses, and understanding the methods used to bypass MFA, organizations can enhance their cybersecurity posture.

Stay vigilant, keep learning, and share this knowledge within your organization. Together, we can reduce the risk of falling victim to these advanced phishing campaigns.