FlowerStorm PaaS Platform Attacking Microsoft Users With Fake Login Pages

Rockstar2FA is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms. Phishing campaigns are delivered via Telegram and use unique URLs to route users to credential-capturing counterfeit login pages. 

These pages masquerade as popular services and steal login credentials along with multifactor authentication tokens via HTTP POST requests to adversary-controlled backend servers. 

While most phishing pages use domains registered in .com, .de, .ru and .moscow, a small portion leverage Cloudflare Pages for deployment with manually created subdomain names that rely on separate backend servers for exfiltrating stolen data.   

Rockstar2FA phishing kit experienced disruption on November 11th where the decoy pages failed to redirect due to a Cloudflare 522 error.

The portal pages also malfunctioned and failed to load the counterfeit Microsoft login portal that indicating that the connection to the back-end server was severed.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Around the same time, FlowerStorm phishing activity surged, which is PaaS platform and has been active since June 2024. FlowerStorm phishing pages communicate with the backend server using a next.php file. 

The communication includes user credentials and a JWT token for session tracking, while the backend server can respond with success messages or MFA challenges. 

Some phishing pages communicate with a next.php file that is located on the same domain as the landing page, while others do not use the same structure.

FlowerStorm and Rockstar2FA phishing portals exhibit strong similarities that suggest a potential link between their developers. Both utilize similar HTML structures that include Cloudflare turnstile keys and random text in comments. 

Some features are shared between their backend communication methods, such as data exfiltration based on PHP and specific field names for email validation and login events. 

In many cases, the timing of their domain registrations and page detections coincides, which may indicate that they utilize a shared infrastructure or that their operations are coordinated.

FlowerStorm is a paid phishing service that leverages infrastructure and communication methods similar to the previous Rockstar2FA operation, including PHP-based communication and email validation features. 

It primarily targets organizations in the United States, Canada, and other Western countries by focusing on the service sector and reveals a preference for North American and European targets with the United States accounting for the majority of attacks.

Sophos analysis of Rockstar2FA and FlowerStorm indicates a possible shared origin due to similar kit contents and domain registration patterns. 

The diverging activity post-November 11th suggests a potential strategic shift, personnel changes, infrastructure disruption, or deliberate decoupling to evade detection.

While FlowerStorm’s rapid expansion has resulted in operational errors that allow for disruption and provide insights into their backend infrastructure.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar