Hackers are taking phishing to new levels by abusing legitimate Microsoft 365 accounts to supercharge an operation known as CodeStorm.
Instead of building fake infrastructure from scratch, attackers are hijacking real M365 accounts and using them as trusted launching pads.
This approach lets malicious emails slip past filters that would normally flag suspicious senders, dramatically increasing the chances a target will click.
The attack begins with a deceptively convincing voicemail notification email. The message mimics a genuine Microsoft communication, complete with a well-formatted layout, a call duration, a reference ID, and an “OPEN VOICEMAIL PORTAL” button branded with the Microsoft logo.
Below the visible message, the kit quietly appends a long block of dummy historical email thread content, designed to confuse automated scanning engines into classifying the message as a low-risk business thread rather than a direct phishing lure.
Analysts at ZeroBEC identified and documented how the CodeStorm phishing kit has evolved with a powerful new capability: tenant-aware Microsoft 365 credential replay.
ZeroBEC said in a report shared with Cyber Security News (CSN) revealed that the kit does not just harvest passwords but actively replays them against Microsoft’s live identity infrastructure in real time, mimicking legitimate sign-in behavior to bypass multi-factor authentication.
Once a victim clicks the link, they land on a page protected by a Cloudflare Turnstile challenge that filters out automated scanners.
The landing page also probes for browser developer tools and automation signals, and even measures how long a debugger statement takes to execute.
If anything suspicious is detected, the page redirects to a legitimate Microsoft URL, appearing completely harmless. This multi-layer anti-analysis design is what separates CodeStorm from simpler credential-harvesting pages.
The campaign’s infrastructure rotates frontend domains while keeping a stable backend controller hidden under the path /google.php.
The kit communicates through a series of actions, do=check for identity discovery, do=login for credential submission, and do=verify to trigger MFA.
This design supports the full Microsoft MFA workflow including Authenticator push, SMS one-time codes, voice calls, and Hotmail recovery codes, covering virtually every authentication method a victim might have active.
Hackers Abuse Compromised M365 Accounts
The CodeStorm campaign abuses compromised Microsoft 365 accounts to send phishing emails that carry built-in legitimacy.
Since the sending account is a real, active M365 identity, emails pass sender authentication checks such as SPF, DKIM, and DMARC, making them far more likely to reach the inbox.
The kit also reuses the same unrelated email thread across multiple victim tenants, swapping only the organization name per target while keeping everything else identical.
The backend controller performs live home-realm discovery against Microsoft’s real identity infrastructure.
When a victim submits credentials, the do=login action replays them against Microsoft in real time, producing a genuine Entra sign-in failure with error code 50126 in the victim’s tenant logs.
This is particularly dangerous because the IP addresses recorded in Entra belong to the kit’s infrastructure, meaning defenders may see failures from unexpected US-based locations within seconds of a phishing click.
Detection and Defense Against CodeStorm Phishing
ZeroBEC researchers outlined key signals defenders can use to identify CodeStorm activity.
On the email layer, security teams should watch for messages where the From, To, and Return-Path headers are all identical, combined with a hidden whitespace block appending an unrelated thread.
On the network side, hunters should flag cross-site POST requests targeting a /google.php path, especially when the content type is application/x-www-form-urlencoded with body actions such as do=check or do=login.
In Microsoft Entra, teams should prioritize hunting for OfficeHome sign-in failures carrying error code 50126, particularly when clustered shortly after a phishing-click event from source IPs outside the user’s expected geography.
Follow-on signs of compromise include new inbox rules, unusual OAuth grants, MFA prompts from unfamiliar locations, and successful sign-ins from IPs previously tied to failure events.
Enabling behavioral detection that correlates sender anomalies, dummy-thread stuffing, and post-click tenant telemetry together gives the clearest early warning before a full account takeover occurs.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | efficientplatforms[.]de | Primary campaign domain |
| Host | openmail.efficientplatforms[.]de | Frontend landing host (Cluster 1) |
| Host | originalpt.efficientplatforms[.]de | Earlier non-audio frontend host (Cluster 1) |
| Host | qygg.efficientplatforms[.]de | Backend controller host (Cluster 1) |
| Domain | 918ahoaurduaod[.]com | Randomized frontend cluster domain |
| Host | 786rty00jk.918ahoaurduaod[.]com | Frontend landing host (Cluster 2) |
| Domain | scalableinfrastructure[.]de | Backend controller domain |
| Host | gnjh.scalableinfrastructure[.]de | Backend controller host |
| Host | listen.microsoft-voicebox-recordings[.]com | Voicebox-themed asset host |
| Host | dvcfbghjyui8u7y6t5redfcvghjuk-1417693617.cos.na-ashburn.myqcloud[.]com | Tencent COS second-stage payload host |
| URL Path | /google.php | Stable backend controller path |
| Redirect Domain | meet.google[.]com/linkredirect | Trust-redirect abused to ferry victim to filter |
| Redirect Domain | www.google[.]com/url | Trust-redirect abused to ferry victim to filter |
| Redirect Domain | adservice.google.com[.]ph/ddm/clk/424929466;226923624 | Trust-redirect abused to ferry victim to filter |
| Redirect Domain | s3.us-east-1.amazonaws[.]com | Trust-redirect abused to ferry victim to filter |
| Cloudflare Key | 0x4AAAAAADdp34fpLM2KiBTM | Turnstile site key (efficientplatforms cluster) |
| Cloudflare Key | 0x4AAAAAADceN-c9qtwSnf8A | Turnstile site key (randomized frontend cluster) |
| IP Address | 104.161.48[.]103 | Email origin IP (sending infrastructure) |
| IP Address | 103.114.217[.]208 | Email origin IP (sending infrastructure) |
| IP Address | 148.163.93[.]50 | Email origin IP (sending infrastructure) |
| IP Address | 104.168.34[.]222 | Email origin IP (sending infrastructure) |
| IP Address | 98.183.80[.]18 | External replay IP observed in Entra (Gramercy, Louisiana, US) |
| IP Address | 98.44.29[.]78 | External replay IP observed in Entra (Katy, Texas, US) |
| IP Address | 68.11.117[.]95 | External replay IP observed in Entra (New Orleans, Louisiana, US) |
| IP Address | 216.27.183[.]135 | External replay IP observed in Entra (Akeley, Minnesota, US) |
| File Name | bootstrappp.min.js | Obfuscated second-stage JavaScript payload |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
