Storm1747 Phishing Threat Actor: Tactics, Targets, and Defense

Discover how Storm1747 – a leading phishing threat actor – uses advanced phishing-as-a-service toolkits to bypass MFA and steal credentials. Learn about their attack methods, targeted platforms like Microsoft 365 and Google Workspace, and effective defense strategies to protect your organization.

Table of Contents

• Overview
• Tactics, Techniques, and Procedures (TTPs)
• Recent Campaigns and Notable Incidents
• Mitigation and Defense Strategies
• References

Overview

Storm1747 is a threat actor known for large-scale phishing operations leveraging advanced “phishing-as-a-service” toolkits. First observed in mid-2023, this actor has rapidly become one of the most active phishing groups on record (Malware Trends Report: Q4, 2024). Their campaigns use adversary-in-the-middle (AiTM) techniques to steal login credentials and session cookies—effectively bypassing multifactor authentication (MFA) (Tycoon 2FA: Phishing Kit Being Used to Bypass MFA). In Q4 2024, Storm1747 was responsible for over 11,000 phishing-related samples submitted to malware sandboxes, outpacing all other groups. Financially motivated, they primarily target Microsoft 365 and Google Workspace users to gain unauthorized access to email and cloud accounts.

Tactics, Techniques, and Procedures (TTPs)

Storm1747 consistently employs advanced phishing tactics to maximize success:

• Adversary-in-the-Middle (AiTM) Phishing Kits: Closely associated with the Tycoon 2FA phishing kit, this phishing-as-a-service (PhaaS) platform acts as a web proxy that intercepts credentials and MFA tokens (Tycoon 2FA: Phishing Kit Being Used to Bypass MFA). By relaying credentials in real time, it bypasses MFA using a valid session token.
• Phishing-as-a-Service & Infrastructure: Operating at scale, Storm1747 leverages PhaaS infrastructure and sells access to its toolkit. They advertise ready-to-use phishing pages for Microsoft 365 and Gmail via Telegram—charging around $120 for 10 days of service (Tycoon 2FA: Phishing Kit Being Used to Bypass MFA). Researchers have tracked over 1,200 unique domain names tied to these campaigns since August 2023, with domains often following standardized, tiered templates.
• Obfuscation and Evasion: The Tycoon 2FA toolkit is continually updated to evade security controls. A March 2024 update introduced heavily obfuscated JavaScript/HTML and dynamic code generation that changes on each load. Attackers obscure URLs—embedding parts of the true URL or encoding parameters—to defeat URL filters.
• Multi-Stage Attack Flow: Phishing attacks typically start with an email containing an embedded link or attachment that directs the user through intermediary sites (such as URL shorteners) before landing on a spoofed login page. This layered approach disarms user skepticism and helps evade automated scanners.
• Social Engineering Lures: Emails are carefully crafted with social engineering tactics. Common lure themes include file/document shares, voicemail or fax notifications, tax and finance alerts, and service notifications. Attackers may also use compromised legitimate accounts to increase credibility.
• Targets and Victim Selection: Storm1747 often personalizes phishing content. Phishing URLs may include the target’s email or name, and lures like fake invoices or tax forms are aimed at roles such as finance or HR. While enterprise users of Microsoft 365 and Google Workspace are primary targets, personal users and small businesses are also at risk.

For example, a fake Outlook email might urge the user to click “View Completed Document” with a URL deceptively starting with a familiar domain (e.g., https://youtube...). Despite its legitimate appearance, the link passes through a Cloudflare check before redirecting to a fraudulent login page, enabling credential theft—even when MFA is enabled.

Recent Campaigns and Notable Incidents

Storm1747’s phishing activity has been continuous and varied. Notable recent trends include:

• Fake YouTube Link Campaign (Late 2024 – Early 2025): Attackers exploited URI authority obfuscation by starting malicious URLs with legitimate strings like http://youtube.com. Emails appeared to link to trusted sites but redirected through multiple stages to a credential-stealing page. Security researchers identified these attacks by their use of the Tycoon 2FA kit and infrastructure patterns.
• Tax Season Phishing (Q1 2025): In early 2025, Storm1747 pivoted to tax-themed lures. An email mimicking an HR or payroll notice attached a PDF with a QR code claimed to be a W-2 form. Scanning the QR code led to a Cloudflare-hosted intermediary and finally to a fake Microsoft 365 login page—capitalizing on seasonal expectations.
• DocuSign and E-Signature Impersonation: Some phishing emails impersonated e-signature services such as DocuSign, notifying users of documents to review or sign. These emails redirected victims through multiple steps to fraudulent login pages, continuing the trend of credential phishing.
• Infrastructure and Volume: Analysis from ANY.RUN’s malware blog revealed that Storm1747’s domains hosted a standardized template for the Tycoon 2FA kit across many phishing pages, underscoring the high volume and uniformity of their campaigns.
• Attribution and Aliases: “Storm1747” is a tracking label used by threat intel platforms. While some reports refer to the operator as the “Saad Tycoon Group” based on cryptocurrency transaction analysis, open-source data confirms that Storm1747 is a cybercriminal service operation focused on profit through phishing and credential theft.

Mitigation and Defense Strategies

Mitigating the risk from Storm1747 requires a multi-layered approach:

• Strengthen MFA with Phishing-Resistant Methods: Traditional OTP- or push-based MFA can be bypassed by AiTM attacks. Implement phishing-resistant methods such as FIDO2 security keys or smartcards that use client-side encryption (Phishing: What's in a Name? - CISA).
• User Awareness and Training: Educate users about evolving phishing tactics. Train them to scrutinize URLs (even those that appear to start with trusted domains like https://youtube.com) and verify urgent login or document access requests through secondary channels.
• Email and Web Security Gateways: Deploy advanced email filtering and web security solutions that detect phishing kit indicators, analyze URL structures, and sandbox suspicious attachments or QR codes. This helps block newly seen domains associated with phishing activity.
• Threat Intelligence and IOC Monitoring: Regularly review threat intelligence reports and import Indicators of Compromise (IOCs) related to Tycoon 2FA and Storm1747. Proactively block or monitor domains and IPs linked to these campaigns.
• Identity and Access Monitoring: Implement monitoring to detect suspicious account activity—such as impossible travel logins or multiple geolocation sign-ins—and use conditional access policies to flag anomalies.
• Incident Response Readiness: Develop a robust incident response plan for account compromise. This should include procedures for password and MFA token resets, and checks for unauthorized email forwarding rules or other backdoors.
• Secure Email Rules and Legacy Tech: Audit mail flow rules and disable legacy authentication protocols that bypass MFA. Enforce modern authentication standards to close potential side channels exploited by attackers.
• Browser-based Heuristic Protection: For an extra layer of defense, consider a lightweight browser extension that scans each page for phishing indicators. For example, BrowserDefend (browserdefend.com) offers heuristic analysis capable of detecting Storm1747 landing pages—serving as a final safety net when traditional threat feeds might not catch every threat. They keep a close tab on these ever-evolving landing pages from known threat actors, consistently providing updates to detect the latest versions.

In summary, defending against Storm1747 involves acknowledging that some phishing attempts may bypass frontline defenses. Combining strong, phishing-resistant MFA, ongoing user education, robust threat intelligence, vigilant monitoring, and even browser-based scanning can greatly mitigate the risks posed by these advanced phishing campaigns.

References

1. Proofpoint Threat Insights – Unmasking Tycoon 2FA: A Stealthy Phishing Kit Used to Bypass Microsoft 365 and Google MFA (Tycoon 2FA: Phishing Kit Being Used to Bypass MFA)
2. ANY.RUN Cybersecurity Blog – 3 Major Cyber Attacks in January 2025 (3 Major Cyber Attacks in January 2025)
3. ANY.RUN Q4 2024 Malware Trends Report – Phishing statistics and Storm1747 activity rankings (Malware Trends Report: Q4, 2024)
4. Sublime Security Blog – Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits (Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits)
5. HackRead News – Hackers Using Fake YouTube Links to Steal Login Credentials (Hackers Using Fake YouTube Links to Steal Login Credentials)
6. FaultyServer Threat Analysis – Storm-1747 Tycoon Phishing Service Email Analysis ([Storm-1747] Tycoon Phishing Service Email Analysis)
7. RH-ISAC Threat Intel – Sekoia releases Tycoon 2FA phishing kit analysis (RH-ISAC | Sekoia Publicly Releases New Tycoon 2FA Phishing Kit Analysis with AiTM Techniques)
8. The 420 Cybercrime Brief – Hackers Exploit Fake YouTube Links (Top 10 Daily Cybercrime Brief by FCRF [15.01.2025])
9. Center for Internet Security (CIS) Advisory – Adversary-in-the-Middle Phishing Attacks (CTAs Using Adversary in the Middle (AiTM) Phishing Attacks)