Overview
Phishing campaigns continue to evolve, and the latest version of the CodeStorm phishing kit demonstrates just how far attackers are willing to go to bypass traditional email security controls.
Rather than sending emails from suspicious domains or newly registered infrastructure, attackers are leveraging compromised Microsoft 365 accounts to distribute phishing messages from legitimate, trusted identities.
The result is a phishing campaign that looks authentic, passes common email authentication checks, and significantly increases the likelihood of reaching a user’s inbox.
Attack Breakdown
The campaign begins with a highly convincing voicemail notification email designed to resemble a genuine Microsoft message.
The email includes:
- A voicemail reference number
- Call duration details
- Microsoft branding
- An “Open Voicemail Portal” button
To further evade detection, the attackers append large blocks of hidden historical email thread content. This makes the message appear more like an existing business conversation rather than a phishing email, reducing the likelihood of detection by automated filtering systems.
Once the victim clicks the link, they are redirected to a phishing portal designed to imitate Microsoft’s authentication experience.
What Makes CodeStorm Different
CodeStorm goes beyond traditional credential harvesting.
Researchers found that the platform performs live credential replay against Microsoft’s identity infrastructure in real time.
The process includes:
- Username validation
- Credential submission
- MFA triggering
- Authentication workflow simulation
The phishing kit supports multiple authentication methods, including:
- Microsoft Authenticator push notifications
- SMS verification codes
- Voice verification calls
- Recovery codes
This creates a highly convincing experience that closely mirrors a legitimate Microsoft sign-in process.
Built to Evade Detection
CodeStorm includes several anti-analysis features designed to frustrate security tools and researchers.
These include:
- Cloudflare Turnstile verification
- Browser developer tool detection
- Automation detection
- Debugger timing checks
- Automatic redirection to legitimate Microsoft pages when analysis is suspected
If suspicious activity is detected, the victim is redirected to a genuine Microsoft website, making the phishing page appear harmless.
This layered approach makes the campaign significantly more difficult to analyse than traditional phishing kits.
Why This Matters
One of the most concerning aspects of CodeStorm is the use of compromised Microsoft 365 accounts.
Because the emails originate from legitimate M365 tenants, they successfully pass:
- SPF
- DKIM
- DMARC
This creates a level of trust that traditional phishing campaigns often struggle to achieve.
The campaign also performs live interactions with Microsoft Entra ID. Failed login attempts generated by the phishing kit can appear in tenant logs as genuine Microsoft authentication failures, potentially creating confusion during investigations.
For defenders, this means that traditional email security controls alone may not be sufficient.
Defensive Recommendations
Security teams should consider the following actions:
- Train users to treat voicemail notifications with caution.
- Investigate unexpected Microsoft 365 login prompts.
- Monitor Microsoft Entra sign-in failures, particularly error code 50126.
- Review unusual sign-in attempts from unfamiliar geographies.
- Watch for suspicious inbox rules and OAuth consent grants.
- Correlate phishing events with authentication telemetry.
- Strengthen conditional access and risk-based authentication policies.
Organisations should also ensure that phishing investigations extend beyond email analysis and include Entra sign-in activity, MFA events, and post-authentication behaviour.
Expert in the Cloud Insight
CodeStorm highlights an important shift in modern phishing operations. Attackers are no longer trying to appear legitimate; they are becoming legitimate by abusing compromised accounts, trusted infrastructure, and real authentication workflows.
The traditional advice of “check the sender address” becomes far less effective when the sender is a genuine Microsoft 365 account that passes every email authentication check.
For organisations, the focus must move beyond email security and toward behavioural detection. Understanding how users normally authenticate, where they sign in from, and how they interact with Microsoft 365 becomes increasingly important as attackers blend into legitimate business processes.
Trust remains one of the most valuable assets in cybersecurity. Unfortunately, it is also one of the most targeted.
Expert in the Cloud – The Future Is Now
Leave a Reply