A new Microsoft 365 phishing service has emerged, so be on your guard

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system

(Image credit: weerapatkiatdumrong / Getty Images)

Researchers said that Rockstar2FA went quiet in November 2024
But a new PaaS emerged soon afterwards, with partly overlapping infrastructure
The new PaaS is called FlowerStorm, and it targets Microsoft365 accounts

Cybersecurity researchers from Sophos have warned a new Phishing-as-a-Service (PaaS) tool has emerged, allowing threat actors to easily hunt for people’s Microsoft 365 credentials.

This tool is called FlowerStorm, and it might have emerged from the (defunct) Rockstar2FA, the company revealed, noting how in November, detections for Rockstar2FA have “suddenly gone quiet”.

The organization’s infrastructure was taken offline, at least partly, for reasons yet unknown - but the researchers don’t think this was the work of law enforcement, though.

Long live FlowerStorm?

Rockstar2FA was a PaaS platform designed to bypass two-factor authentication (2FA), primarily targeting Microsoft 365 accounts. It worked by intercepting login processes to steal session cookies, allowing attackers to access accounts without needing credentials or verification codes. Through a simple interface and Telegram integration, threat actors that purchased a license could manage their campaigns in real time.

The new platform, which emerged in the weeks after Rockstar2FA went quiet, was dubbed FlowerStorm by the researchers. Apparently, much of its tools and features overlap with that of Rockstar2FA, which is why Sophos speculates that it could be its (spiritual) successor.

The vast majority of the targets chosen by FlowerStorm users (84%) are located in the United States, Canada, United Kingdom, Australia, and Italy, Sophos added.

Companies in the States were most frequently targeted (60%), followed by Canada (8.96%). Overall, almost all (94%) of FlowerStorm targets were either in North America or Europe, with the rest falling on Singapore, India, Israel, New Zealand, and the United Arab Emirates.

The majority of the victims are in the service industry, namely firms providing engineering, construction, real estate, and legal services and consulting.

Defending against FlowerStorm is the same as against any other phishing attack - using common sense and being careful with incoming emails.

This worrying new phishing attack is going after Microsoft 365 accounts
Here's a list of the best antivirus tools on offer
These are the best endpoint protection tools right now

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.