惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

K
Kaspersky official blog
Engineering at Meta
Engineering at Meta
D
DataBreaches.Net
Stack Overflow Blog
Stack Overflow Blog
Microsoft Security Blog
Microsoft Security Blog
Y
Y Combinator Blog
B
Blog RSS Feed
GbyAI
GbyAI
P
Proofpoint News Feed
aimingoo的专栏
aimingoo的专栏
MyScale Blog
MyScale Blog
D
Docker
阮一峰的网络日志
阮一峰的网络日志
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Recorded Future
Recorded Future
美团技术团队
The Register - Security
The Register - Security
V
Visual Studio Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
T
Tailwind CSS Blog
爱范儿
爱范儿
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
T
The Blog of Author Tim Ferriss
博客园 - 司徒正美
量子位
B
Blog
F
Fortinet All Blogs
Martin Fowler
Martin Fowler
博客园 - 【当耐特】
MongoDB | Blog
MongoDB | Blog
A
About on SuperTechFans
I
InfoQ
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
有赞技术团队
有赞技术团队
雷峰网
雷峰网
大猫的无限游戏
大猫的无限游戏
J
Java Code Geeks
L
LangChain Blog
Latest news
Latest news
S
SegmentFault 最新的问题
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Blog — PlanetScale
Blog — PlanetScale
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Cisco Talos Blog
Cisco Talos Blog
F
Full Disclosure
C
Cisco Blogs
D
Darknet – Hacking Tools, Hacker News & Cyber Security
W
WeLiveSecurity
T
Tenable Blog
T
Tor Project blog

Cyber Security News

AIRecon: AI-Powered Penetration Testing Tool with Kali Linux Sandbox Critical Chrome Vulnerabilities Allow Attackers to Execute Arbitrary Code - Update Now! UNC3753 Uses Screen-Sharing Sessions and RMM Tools to Exfiltrate Sensitive Legal Data New OnionDrop Loader Campaign Uses gainmsg C2 to Deliver LegionLoader Payloads ClickFix Campaign Uses EtherHiding and GULoader to Infect Windows Users via Fake CAPTCHA Ghostwriter Hackers Abuse Gmail Admin-Themed Emails to Steal Credentials and 2FA Codes The Half-Life of Threat Intelligence: When Does an IOC Stop Being Useful? Critical Fortinet FortiSandbox Vulnerabilities Actively Exploited in Attacks Aembit Extends IAM for Agentic AI to Microsoft Copilot Studio India Temporarily Bans Telegram Messenger Over Medical Exam Fraud Microsoft 365 Device Code Phishing Campaign Bypasses Password Theft With Legitimate Login Flow AppViewX Launches Agent Identity Security to Govern Agents for the AI and Quantum Era Hackers Weaponize Microsoft Teams Relay to Hide Ransomware Traffic Developer laptops are the credential store attackers are picking through in 2026, GitGuardian announces Endpoint Protection Interlock and Rhysida Ransomware Operations Share Supper Backdoor and Malware Codebase Novo Nordisk Confirms Cyber Attack — Hackers Accessed Patient Medical Data and Internal AI Assets Russian and Chinese Influence Actors Use AI to Evade Bot Detection and Mimic Human Behavior Microsoft Teams Analyze the Wi-Fi Hotspot Data Connected to an Employee’s Device PRC-Nexus Hackers Exploit REDCap Servers to Spy on US Medical Research Institutions Infinite Campus Data Breach Exposes 137,000 Users Personal Details OptinMonster Plugin Hack Exposes 1.2 Million Wordpress Sites to Cyberattack Ransomware Ecosystem Consolidates Around LockBit Alumni, Qilin, Hyflock, and The Gentlemen Hackers Abuse Legitimate RMM Tools in The Quarry IRS and SSA Phishing Campaigns LiteSpeed cPanel Plugin 0-Day Vulnerability Actively Exploited in the Wild Cisco SD-WAN vManage Vulnerability Exploited in Zero-Day Attacks Nearly 14,000 SimpleHelp Servers Exposed Amid Critical Authentication Bypass Disclosure Microsoft Site Showing Warning Following Certificate Expiry DPAPISnoop Tool Extracts CREDHIST Hashes for Offline Windows Credential Recovery SHADOWBYT3$ Allegedly Claim Breach of Nintendo, Stealing Sensitive Data Anthropic Updated Privacy Policy to Include Identity Verification for Claude Users Critical Microsoft 365 Copilot Vulnerability Allows Attackers to Steal Data in One Click Hackers Use Microsoft Graph Reconnaissance to Target Payroll and HR Employees China-Nexus Hackers Use Backdoored PAM Modules for Credential Theft and Authentication Bypass SearchJack Campaign Uses 23 Chrome Extensions to Hijack Searches of 758,000 Users PromptSnatcher Ad Blocker Extensions Steal AI Chats From ChatGPT, Claude, and Gemini Hackers Abuse LNK Files, PowerShell, and Python Loader to Deploy NarwhalRAT Windows 11 Update KB5094126 Freezes Systems, Forces BitLocker Recovery, and More Critical Wazuh Vulnerability Lets Attackers Tamper with Alerts and Delete Security Evidence SecSuite - AI-powered Tool for OSINT, Web and API Security Testing WinRAR Vulnerability Exploited by Russian Hackers to Deploy GIFTEDCROOK Stealer Palo Alto Warns of GlobalProtect VPN Vulnerability Actively Exploited in the Wild Threat Actor Malware Platform Exposed via Unlocked PHP Installation Page Criminal IP at Infosecurity Europe 2026: Introducing AITEM, the Next Chapter of Attack Surface Management Maine Takes Data Breach Reporting Portal Offline After Fake VRChat and Discord Filings 152 Chrome Extensions Hide Ad Tracking and Fake Google Search Traffic New Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From Hackers Server BugHunter - Bug Bounty Toolkit Powered by Claude and Free AI Providers Splunk Enterprise Pre-Auth RCE Chain Exposes Database With Zero Authentication Anthropic Fable 5 and Mythos 5 Access Blocked to All Users Following Government Directive Fancy Bear Hackers Abuse EdgeRouters and Cloud Services to Launch Stealthy Cyberattacks Hackers Abuse Legitimate NinjaOne RMM Software to Bypass Traditional Malware Detection Malicious npm Campaign Steals SSH Keys, API Tokens, Cloud Credentials, and Wallet Secrets Hackers Use OnyxC2 Malware-as-a-Service to Steal Credentials From 210 Applications Facebook and Instagram Down Globally, Users Reporting Multiple Issues Google Sues Chinese Cybercrime Network for Using Gemini AI to Launch Cyberattacks 400+ Arch Linux AUR Packages Compromised in a Supply Chain Attack Deploying Infostealers Critical Vulnerability Chain in LangGraph Allows Attackers to Gain Full Server Control SHEETCREEP C# RAT Abuses Google Sheets API as C2 to Target Diplomatic Organizations Authorities Dismantle Cryptocurrency Laundering Services ‘AudiA6’ Used by Ransomware Gangs Hackers Use Free Spotify Premium Hacks on TikTok and Instagram to Spread Vidar Infostealer Solana FakeFix Campaign Uses 25 Malicious npm and PyPI Packages to Steal Developer Secrets Microsoft Outlook and Word Vulnerabilities Allow Attackers to Execute Malicious Code Palo Alto PAN-OS Vulnerability Allows Attackers to Execute Arbitrary Commands as Root User Google Patches 28 Chrome Vulnerabilities that Allow Attackers to Execute Malicious Code Microsoft Teams for Android Vulnerability Allows Attackers to Disclose Sensitive Data Oracle PeopleSoft 0-Day RCE Vulnerability Exploited in Attacks by ShinyHunters CISA Requires Federal Agencies to Patch Critical Vulnerabilities Within 3 Days OceanLotus APT Compromises FireAnt MetaKit in Supply-Chain Attack on Stock Investors GoFlateLoader Uses Massive PE Overlay to Deliver Lumma, Vidar, and StealC Infostealers Critical Langflow Vulnerability Exploited to Execute Malicious Code Hackers Abuse SniperDz PhaaS Ecosystem for Brand Impersonation and Browser Hijacking Researcher Hacked Google Using AI and Earned $500,000 Bug Bounty GitHub to Automate Disable npm Script Installs to Block Supply Chain Attacks Claude Mythos Turning N-Days Into N-Hours With Rapid Working Exploit Creation CISA Warns of Check Point Security Gateway Vulnerability Actively Exploited in Ransomware Attacks Hackers Use Weaponized DMG Files to Target macOS Users With Infostealer Malware Hackers Use BLUERABBIT Backdoor to Encrypt Files and Wipe Disks Across Windows Systems Hackers Abuse Residential Proxy Networks to Hide Malicious Activity and Evade Detection Cybercriminals Abuse Chinese-Language Guarantee Marketplaces to Trade Stolen Credentials Ivanti Command Injection Vulnerability Exploited in Attacks Following PoC Release PoC Exploit Released for Guest-to-Host Escape Linux Kernel Vulnerability Oracle Emergency Security Update to Fix Critical RCE Vulnerability GreatXML BitLocker Bypass 0-Day Exploited Via Windows Defender Offline Scan Hackers Abuse VMware-Signed Binary to Sideload NIGHTFORGE Loader in Espionage Attacks Multiple Splunk Enterprise Vulnerabilities Allow Attackers to Execute Malicious Script Hackers Abuse AWS CloudTrail and Google Cloud Logging to Evade Detection and Exfiltrate Logs China-Linked JDY Botnet Uses 1,500+ SOHO and IoT Devices for Rapid Vulnerability Exploitation CISA Warns of SolarWinds Serv-U Vulnerability Exploited in Attacks Top 5 Best Tools for Simulated DDoS Attacks in 2026 Critical Vulnerability in Hugging Face Transformers Enables Remote Code Execution Attacks OWASP CVE Lite CLI - New Tool to Scan for Vulnerabilities in Your Projects Anthropic's Claude Services Down — claude.ai, Claude Code, and Cowork Affected [Updated] Hackers Publish Malicious Python Package Mimicking Legitimate Parsimonious Parser Hackers are Increasingly Weaponizing Trusted Tools to Deploy Notorious Malware New Magecart Attack Turns Stripe into a Malware Command Server Hola Browser for Windows Delivery Pipeline Compromised to Deliver Cryptominer New Gafgyt Variant Targets Multiple Linux Architectures With Modular Propagation Microsoft 365 Service Degradation Bypassed Windows Driver Auto-Update Controls New SHub Stealer Variant Malware Targets Chrome, Firefox, Brave, Edge, Opera, and Crypto Wallets Malicious Browser Add-Ons Target ChatGPT, Claude, Copilot, Gemini, and DeepSeek Users
Hackers Abuse Compromised M365 Accounts to Scale CodeStorm Phishing Operations
Tushar Subhra Dutta · 2026-06-23 · via Cyber Security News

Hackers are taking phishing to new levels by abusing legitimate Microsoft 365 accounts to supercharge an operation known as CodeStorm.

Instead of building fake infrastructure from scratch, attackers are hijacking real M365 accounts and using them as trusted launching pads.

This approach lets malicious emails slip past filters that would normally flag suspicious senders, dramatically increasing the chances a target will click.

The attack begins with a deceptively convincing voicemail notification email. The message mimics a genuine Microsoft communication, complete with a well-formatted layout, a call duration, a reference ID, and an “OPEN VOICEMAIL PORTAL” button branded with the Microsoft logo.

Below the visible message, the kit quietly appends a long block of dummy historical email thread content, designed to confuse automated scanning engines into classifying the message as a low-risk business thread rather than a direct phishing lure.

Analysts at ZeroBEC identified and documented how the CodeStorm phishing kit has evolved with a powerful new capability: tenant-aware Microsoft 365 credential replay.

End-to-end CodeStorm flow (Source - ZeroBec)
End-to-end CodeStorm flow (Source – ZeroBec)

ZeroBEC said in a report shared with Cyber Security News (CSN) revealed that the kit does not just harvest passwords but actively replays them against Microsoft’s live identity infrastructure in real time, mimicking legitimate sign-in behavior to bypass multi-factor authentication.

Once a victim clicks the link, they land on a page protected by a Cloudflare Turnstile challenge that filters out automated scanners.

The landing page also probes for browser developer tools and automation signals, and even measures how long a debugger statement takes to execute.

If anything suspicious is detected, the page redirects to a legitimate Microsoft URL, appearing completely harmless. This multi-layer anti-analysis design is what separates CodeStorm from simpler credential-harvesting pages.

The campaign’s infrastructure rotates frontend domains while keeping a stable backend controller hidden under the path /google.php.

The kit communicates through a series of actions, do=check for identity discovery, do=login for credential submission, and do=verify to trigger MFA.

This design supports the full Microsoft MFA workflow including Authenticator push, SMS one-time codes, voice calls, and Hotmail recovery codes, covering virtually every authentication method a victim might have active.

Hackers Abuse Compromised M365 Accounts

The CodeStorm campaign abuses compromised Microsoft 365 accounts to send phishing emails that carry built-in legitimacy.

Since the sending account is a real, active M365 identity, emails pass sender authentication checks such as SPF, DKIM, and DMARC, making them far more likely to reach the inbox.

The kit also reuses the same unrelated email thread across multiple victim tenants, swapping only the organization name per target while keeping everything else identical.

The voicemail lure as the victim sees it (Source – ZeroBec)

The backend controller performs live home-realm discovery against Microsoft’s real identity infrastructure.

When a victim submits credentials, the do=login action replays them against Microsoft in real time, producing a genuine Entra sign-in failure with error code 50126 in the victim’s tenant logs.

This is particularly dangerous because the IP addresses recorded in Entra belong to the kit’s infrastructure, meaning defenders may see failures from unexpected US-based locations within seconds of a phishing click.

Detection and Defense Against CodeStorm Phishing

ZeroBEC researchers outlined key signals defenders can use to identify CodeStorm activity.

On the email layer, security teams should watch for messages where the From, To, and Return-Path headers are all identical, combined with a hidden whitespace block appending an unrelated thread.

On the network side, hunters should flag cross-site POST requests targeting a /google.php path, especially when the content type is application/x-www-form-urlencoded with body actions such as do=check or do=login.

Entra failures observed within seconds of fake credentials (Source - ZeroBec)
Entra failures observed within seconds of fake credentials (Source – ZeroBec)

In Microsoft Entra, teams should prioritize hunting for OfficeHome sign-in failures carrying error code 50126, particularly when clustered shortly after a phishing-click event from source IPs outside the user’s expected geography.

Follow-on signs of compromise include new inbox rules, unusual OAuth grants, MFA prompts from unfamiliar locations, and successful sign-ins from IPs previously tied to failure events.

Enabling behavioral detection that correlates sender anomalies, dummy-thread stuffing, and post-click tenant telemetry together gives the clearest early warning before a full account takeover occurs.

Indicators of Compromise (IoCs):-

TypeIndicatorDescription
Domainefficientplatforms[.]dePrimary campaign domain
Hostopenmail.efficientplatforms[.]deFrontend landing host (Cluster 1)
Hostoriginalpt.efficientplatforms[.]deEarlier non-audio frontend host (Cluster 1)
Hostqygg.efficientplatforms[.]deBackend controller host (Cluster 1)
Domain918ahoaurduaod[.]comRandomized frontend cluster domain
Host786rty00jk.918ahoaurduaod[.]comFrontend landing host (Cluster 2)
Domainscalableinfrastructure[.]deBackend controller domain
Hostgnjh.scalableinfrastructure[.]deBackend controller host
Hostlisten.microsoft-voicebox-recordings[.]comVoicebox-themed asset host
Hostdvcfbghjyui8u7y6t5redfcvghjuk-1417693617.cos.na-ashburn.myqcloud[.]comTencent COS second-stage payload host
URL Path/google.phpStable backend controller path
Redirect Domainmeet.google[.]com/linkredirectTrust-redirect abused to ferry victim to filter
Redirect Domainwww.google[.]com/urlTrust-redirect abused to ferry victim to filter
Redirect Domainadservice.google.com[.]ph/ddm/clk/424929466;226923624Trust-redirect abused to ferry victim to filter
Redirect Domains3.us-east-1.amazonaws[.]comTrust-redirect abused to ferry victim to filter
Cloudflare Key0x4AAAAAADdp34fpLM2KiBTMTurnstile site key (efficientplatforms cluster)
Cloudflare Key0x4AAAAAADceN-c9qtwSnf8ATurnstile site key (randomized frontend cluster)
IP Address104.161.48[.]103Email origin IP (sending infrastructure)
IP Address103.114.217[.]208Email origin IP (sending infrastructure)
IP Address148.163.93[.]50Email origin IP (sending infrastructure)
IP Address104.168.34[.]222Email origin IP (sending infrastructure)
IP Address98.183.80[.]18External replay IP observed in Entra (Gramercy, Louisiana, US)
IP Address98.44.29[.]78External replay IP observed in Entra (Katy, Texas, US)
IP Address68.11.117[.]95External replay IP observed in Entra (New Orleans, Louisiana, US)
IP Address216.27.183[.]135External replay IP observed in Entra (Akeley, Minnesota, US)
File Namebootstrappp.min.jsObfuscated second-stage JavaScript payload

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google NewsLinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

Tushar Subhra Dutta

Tushar Subhra Dutta

Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.