Microsoft

FlowerStorm PaaS Platform Attacking Microsoft Users With Fake Login Pages

Rockstar2FA is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms. Phishing campaigns are delivered via Telegram and use unique URLs to route users to credential-capturing counterfeit login pages. 

These pages masquerade as popular services and steal login credentials along with multifactor authentication tokens via HTTP POST requests to adversary-controlled backend servers. 

While most phishing pages use domains registered in .com, .de, .ru and .moscow, a small portion leverage Cloudflare Pages for deployment with manually created subdomain names that rely on separate backend servers for exfiltrating stolen data.   

A Rockstar2FA “decoy” page

Rockstar2FA phishing kit experienced disruption on November 11th where the decoy pages failed to redirect due to a Cloudflare 522 error.

The portal pages also malfunctioned and failed to load the counterfeit Microsoft login portal that indicating that the connection to the back-end server was severed.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Around the same time, FlowerStorm phishing activity surged, which is PaaS platform and has been active since June 2024. FlowerStorm phishing pages communicate with the backend server using a next.php file. 

An HTTP request from the FlowerStorm phishing page

The communication includes user credentials and a JWT token for session tracking, while the backend server can respond with success messages or MFA challenges. 

Some phishing pages communicate with a next.php file that is located on the same domain as the landing page, while others do not use the same structure.

FlowerStorm and Rockstar2FA phishing portals exhibit strong similarities that suggest a potential link between their developers. Both utilize similar HTML structures that include Cloudflare turnstile keys and random text in comments. 

Some features are shared between their backend communication methods, such as data exfiltration based on PHP and specific field names for email validation and login events. 

The document object model of a Rockstar2FA phishing page

In many cases, the timing of their domain registrations and page detections coincides, which may indicate that they utilize a shared infrastructure or that their operations are coordinated.

FlowerStorm is a paid phishing service that leverages infrastructure and communication methods similar to the previous Rockstar2FA operation, including PHP-based communication and email validation features. 

A failed connection to a decoy page domain

It primarily targets organizations in the United States, Canada, and other Western countries by focusing on the service sector and reveals a preference for North American and European targets with the United States accounting for the majority of attacks.

Sophos analysis of Rockstar2FA and FlowerStorm indicates a possible shared origin due to similar kit contents and domain registration patterns. 

The diverging activity post-November 11th suggests a potential strategic shift, personnel changes, infrastructure disruption, or deliberate decoupling to evade detection.

While FlowerStorm’s rapid expansion has resulted in operational errors that allow for disruption and provide insights into their backend infrastructure.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all encrypted…

1 day ago

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning and…

2 days ago

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is transmitted…

2 days ago

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services (IIS)…

2 days ago

Hackers Leveraging Image & Video Attachments to Deliver Malware

Cybercriminals are increasingly exploiting image and video files to deliver malware, leveraging advanced techniques like…

2 days ago

New Scareware Attack Targeting Mobile Users to Deploy Malicious Antivirus Apps

A new wave of scareware attacks has emerged, targeting unsuspecting mobile users with fake antivirus…

2 days ago