FlowerStorm Rises as the New Microsoft 365 Phishing Threat After Rockstar2FA’s Collapse

FlowerStorm Rises as the New Microsoft 365 Phishing Threat After Rockstar2FA's Collapse

Microsoft 365 Phishing Threat: FlowerStorm Emerges as Rockstar2FA’s Successor

A new phishing-as-a-service (PhaaS) platform called FlowerStorm has rapidly gained prominence following the unexpected collapse of Rockstar2FA in November 2024. This emerging threat specifically targets Microsoft 365 credentials through sophisticated adversary-in-the-middle (AiTM) attacks.

Key Similarities and Operations:
– Both platforms utilize similar phishing portals mimicking Microsoft login pages
– Backend servers hosted on .ru and .com domains
– Shared HTML structure with Cloudflare security features
– Comparable credential harvesting methods
– Synchronized operational patterns

Target Demographics:
– 63% of targeted organizations are US-based
– 84% of targeted users are in the United States
– Most affected sectors:
* Services (33%)
* Manufacturing (21%)
* Retail (12%)
* Financial Services (8%)

While Rockstar2FA’s shutdown appears to be due to technical issues rather than law enforcement action, FlowerStorm’s similar infrastructure and rapid rise suggest a possible rebranding effort. Sophos researchers note significant operational overlaps but cannot definitively confirm a direct connection between the two platforms.

Recommended Security Measures:
– Implement FIDO2 token-based MFA
– Deploy robust email filtering solutions
– Use DNS filtering to block suspicious domains
– Monitor for phishing attempts targeting Microsoft 365 credentials

Share This Article