CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 23, 2026

Hackers Abuse Compromised M365 Accounts to Scale CodeStorm Phishing Operations

Cybersecurity News Archived Jun 23, 2026 ✓ Full text saved

Hackers are taking phishing to new levels by abusing legitimate Microsoft 365 accounts to supercharge an operation known as CodeStorm. Instead of building fake infrastructure from scratch, attackers are hijacking real M365 accounts and using them as trusted launching pads. This approach lets malicious emails slip past filters that would normally flag suspicious senders, dramatically […] The post Hackers Abuse Compromised M365 Accounts to Scale CodeStorm Phishing Operations appeared first on Cybe

Full text archived locally
✦ AI Summary · Claude Sonnet


    Discover more Cybersecurity news subscription Cyber threat intelligence Hacker defense guide HomeCyber Security News Hackers Abuse Compromised M365 Accounts to Scale CodeStorm Phishing Operations By Tushar Subhra Dutta June 23, 2026 Hackers are taking phishing to new levels by abusing legitimate Microsoft 365 accounts to supercharge an operation known as CodeStorm. Instead of building fake infrastructure from scratch, attackers are hijacking real M365 accounts and using them as trusted launching pads. This approach lets malicious emails slip past filters that would normally flag suspicious senders, dramatically increasing the chances a target will click. The attack begins with a deceptively convincing voicemail notification email. The message mimics a genuine Microsoft communication, complete with a well-formatted layout, a call duration, a reference ID, and an “OPEN VOICEMAIL PORTAL” button branded with the Microsoft logo. Below the visible message, the kit quietly appends a long block of dummy historical email thread content, designed to confuse automated scanning engines into classifying the message as a low-risk business thread rather than a direct phishing lure. Analysts at ZeroBEC identified and documented how the CodeStorm phishing kit has evolved with a powerful new capability: tenant-aware Microsoft 365 credential replay. End-to-end CodeStorm flow (Source – ZeroBec) ZeroBEC said in a report shared with Cyber Security News (CSN) revealed that the kit does not just harvest passwords but actively replays them against Microsoft’s live identity infrastructure in real time, mimicking legitimate sign-in behavior to bypass multi-factor authentication. Once a victim clicks the link, they land on a page protected by a Cloudflare Turnstile challenge that filters out automated scanners. The landing page also probes for browser developer tools and automation signals, and even measures how long a debugger statement takes to execute. If anything suspicious is detected, the page redirects to a legitimate Microsoft URL, appearing completely harmless. This multi-layer anti-analysis design is what separates CodeStorm from simpler credential-harvesting pages. The campaign’s infrastructure rotates frontend domains while keeping a stable backend controller hidden under the path /google.php. The kit communicates through a series of actions, do=check for identity discovery, do=login for credential submission, and do=verify to trigger MFA. This design supports the full Microsoft MFA workflow including Authenticator push, SMS one-time codes, voice calls, and Hotmail recovery codes, covering virtually every authentication method a victim might have active. Hackers Abuse Compromised M365 Accounts The CodeStorm campaign abuses compromised Microsoft 365 accounts to send phishing emails that carry built-in legitimacy. Since the sending account is a real, active M365 identity, emails pass sender authentication checks such as SPF, DKIM, and DMARC, making them far more likely to reach the inbox. The kit also reuses the same unrelated email thread across multiple victim tenants, swapping only the organization name per target while keeping everything else identical. The voicemail lure as the victim sees it (Source – ZeroBec) The backend controller performs live home-realm discovery against Microsoft’s real identity infrastructure. When a victim submits credentials, the do=login action replays them against Microsoft in real time, producing a genuine Entra sign-in failure with error code 50126 in the victim’s tenant logs. This is particularly dangerous because the IP addresses recorded in Entra belong to the kit’s infrastructure, meaning defenders may see failures from unexpected US-based locations within seconds of a phishing click. Detection and Defense Against CodeStorm Phishing ZeroBEC researchers outlined key signals defenders can use to identify CodeStorm activity. On the email layer, security teams should watch for messages where the From, To, and Return-Path headers are all identical, combined with a hidden whitespace block appending an unrelated thread. On the network side, hunters should flag cross-site POST requests targeting a /google.php path, especially when the content type is application/x-www-form-urlencoded with body actions such as do=check or do=login. Entra failures observed within seconds of fake credentials (Source – ZeroBec) In Microsoft Entra, teams should prioritize hunting for OfficeHome sign-in failures carrying error code 50126, particularly when clustered shortly after a phishing-click event from source IPs outside the user’s expected geography. Follow-on signs of compromise include new inbox rules, unusual OAuth grants, MFA prompts from unfamiliar locations, and successful sign-ins from IPs previously tied to failure events. Enabling behavioral detection that correlates sender anomalies, dummy-thread stuffing, and post-click tenant telemetry together gives the clearest early warning before a full account takeover occurs. Indicators of Compromise (IoCs):- Type Indicator Description Domain efficientplatforms[.]de Primary campaign domain Host openmail.efficientplatforms[.]de Frontend landing host (Cluster 1) Host originalpt.efficientplatforms[.]de Earlier non-audio frontend host (Cluster 1) Host qygg.efficientplatforms[.]de Backend controller host (Cluster 1) Domain 918ahoaurduaod[.]com Randomized frontend cluster domain Host 786rty00jk.918ahoaurduaod[.]com Frontend landing host (Cluster 2) Domain scalableinfrastructure[.]de Backend controller domain Host gnjh.scalableinfrastructure[.]de Backend controller host Host listen.microsoft-voicebox-recordings[.]com Voicebox-themed asset host Host dvcfbghjyui8u7y6t5redfcvghjuk-1417693617.cos.na-ashburn.myqcloud[.]com Tencent COS second-stage payload host URL Path /google.php Stable backend controller path Redirect Domain meet.google[.]com/linkredirect Trust-redirect abused to ferry victim to filter Redirect Domain www.google[.]com/url Trust-redirect abused to ferry victim to filter Redirect Domain adservice.google.com[.]ph/ddm/clk/424929466;226923624 Trust-redirect abused to ferry victim to filter Redirect Domain s3.us-east-1.amazonaws[.]com Trust-redirect abused to ferry victim to filter Cloudflare Key 0x4AAAAAADdp34fpLM2KiBTM Turnstile site key (efficientplatforms cluster) Cloudflare Key 0x4AAAAAADceN-c9qtwSnf8A Turnstile site key (randomized frontend cluster) IP Address 104.161.48[.]103 Email origin IP (sending infrastructure) IP Address 103.114.217[.]208 Email origin IP (sending infrastructure) IP Address 148.163.93[.]50 Email origin IP (sending infrastructure) IP Address 104.168.34[.]222 Email origin IP (sending infrastructure) IP Address 98.183.80[.]18 External replay IP observed in Entra (Gramercy, Louisiana, US) IP Address 98.44.29[.]78 External replay IP observed in Entra (Katy, Texas, US) IP Address 68.11.117[.]95 External replay IP observed in Entra (New Orleans, Louisiana, US) IP Address 216.27.183[.]135 External replay IP observed in Entra (Akeley, Minnesota, US) File Name bootstrappp.min.js Obfuscated second-stage JavaScript payload Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News AIRecon: AI-Powered Penetration Testing Tool with Kali Linux Sandbox Hackers Abuse Cloud Logging Services to Evade Detection and Defender’s Visibility ClickFix Campaign Uses EtherHiding and GULoader to Infect Windows Users via Fake CAPTCHA Microsoft Teams Introduces Office Attendance Tracking via Wi-Fi Connection Hackers Use Fake Software Update Prompts to Steal Passwords and Crypto Wallet Data From macOS Users Latest News Cyber Security 15 Best Linux Network Monitoring Tools in 2026 Cyber Security News Researcher Earns $148,337 for Google Cloud Production RCE Vulnerability Cyber Security Tata Electronics Data Breach Exposes Confidential Apple and Tesla Documents Cyber Security News New Phishing Attack Abuses Outlook and Microsoft 365 Groups Features to Attack Users Cyber Security News Critical libssh2 Vulnerability Allows Attackers to Execute Remote Code Via Malicious SSH packets
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 23, 2026
    Archived
    Jun 23, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗