Blog Post

Microsoft Security Experts Blog
6 MIN READ

Defender Experts Chronicles: A Deep Dive into Storm-0867

Kirtar's avatar
Kirtar
Former Employee
Aug 28, 2023
BACKGROUND At Microsoft, we are always on the lookout for advanced and emerging threats that could compromise the security of our customers. This has pushed our Defender Experts for XDR team to con...
Updated Aug 28, 2023
Version 2.0
defender experts for xdr
dsouti's avatar
dsouti
Icon for Microsoft rankMicrosoft
Oct 08, 2023

Hello egalegal, thank you for your comment and your interest in our work and research on Storm-0867, a threat activity group that uses AiTM phishing sites powered by ‘Caffeine’ to steal session cookies and login credentials. Here are some ways you can detect and protect your customers’ environment from this threat:

 

Product detections:
You can use the following Microsoft products to detect activities associated with Storm-0867:

  1. Microsoft Defender for Endpoint (MDE): This product detects Storm-0867’s activity on your customers' network and generates alerts with the following titles in the security center:
    1. Emerging threat activity group Storm-0867 detected
    2. A file or network connection related to threat actor Storm-0867 detected
  2. Microsoft Defender for Office (MDO): This product detects phishing emails that are potentially related to this threat. However, these alerts can also be triggered by unrelated threat activity, so you need to verify them carefully. The alert titles are:
    1. Phish delivered due to an ETR override
    2. Phish delivered due to an IP allow policy
    3. Email reported by user as malware or phish
    4. Form blocked due to potential phishing attempt
    5. Phish not zapped because ZAP is disabled
    6. Unusual increase in email reported as phish
    7. Users targeted by phish campaigns
    8. Form flagged and confirmed as phishing
    9. Phish delivered because a user's Junk Mail Folder is disabled
  3. Microsoft Sentinel: This product provides the following Microsoft Sentinel Analytics template that can help you identify potential AiTM phishing attempts:
    1. Possible AiTM Phishing Attempt Against Azure AD

Indicators:
Indicators associated with this threat actor group are continuously identified by Microsoft Threat Intelligence and incorporated into the products for detection. Therefore, it eliminates the need for maintaining a list of active IOCs (Indicators of Compromise) related to this threat actor group for the users of Microsoft Defender. However, for your reference, here is a sample list of phishing domains associated with Storm-0867, identified during our investigations:

ymin12m3ys647eae9d4b62d[.]oasishe[.]ru
lne7ypqdjh6478fb5336a4e[.]specogut[.]ru
vejaga[.]eedmenon[.]com
anhwqlcoai646297ea4475f[.]iamthe[.]ru
wcb8te[.]neomatr[.]com
i5ju8[.]iiubestg[.]com
o8yngfzdi1646e734f894af[.]axlstg[.]ru
bwjgukv48p647a2153c8a46[.]94taiw[.]ru
vxrtken[.]vidyapvic[.]com
1ewsv[.]sweetlabds[.]com
bd5nqcenji6453c96e93871[.]tkdref[.]ru
4nla[.]steelaoats[.]com
s2nqbzgquy63f2dd7c3edb3[.]ishiki[.]ru
wdp0rhcmxl643fd525a7bea[.]horada[.]ru
anhwqlcoai646297ea4475f[.]iamthe[.]ru
lmo8083-0hsmmdhb[.]allcleanbydee2[.]com
wdp0rhcmxl643fd525a7bea[.]horada[.]ru
xiq5hzxl3l6410c7eae98a7[.]parmal[.]ru
byz5ev[.]akatsu[.]ru
elxb[.]getain[.]ru
bwphza[.]ploda[.]ru
nasho[.]office-docs[.]net
uxuyar[.]filesholders[.]com

 

Additionally, we have included a sample Advanced Hunting Query (AHQ) that you can use to quickly search for (MDE onboarded) devices within the enterprise networks that may have connected with these phishing domains:

 

 

// AHQ to retrieve devices with network connections to Storm-0867 Phishing sites
let ioc_domains = pack_array('ymin12m3ys647eae9d4b62d[.]oasishe[.]ru',
'lne7ypqdjh6478fb5336a4e[.]specogut[.]ru',
'vejaga[.]eedmenon[.]com',
'anhwqlcoai646297ea4475f[.]iamthe[.]ru',
'wcb8te[.]neomatr[.]com',
'i5ju8[.]iiubestg[.]com',
'o8yngfzdi1646e734f894af[.]axlstg[.]ru',
'bwjgukv48p647a2153c8a46[.]94taiw[.]ru',
'vxrtken[.]vidyapvic[.]com',
'1ewsv[.]sweetlabds[.]com',
'bd5nqcenji6453c96e93871[.]tkdref[.]ru',
'4nla[.]steelaoats[.]com',
's2nqbzgquy63f2dd7c3edb3[.]ishiki[.]ru',
'wdp0rhcmxl643fd525a7bea[.]horada[.]ru',
'anhwqlcoai646297ea4475f[.]iamthe[.]ru',
'lmo8083-0hsmmdhb[.]allcleanbydee2[.]com',
'wdp0rhcmxl643fd525a7bea[.]horada[.]ru',
'xiq5hzxl3l6410c7eae98a7[.]parmal[.]ru',
'byz5ev[.]akatsu[.]ru',
'elxb[.]getain[.]ru',
'bwphza[.]ploda[.]ru',
'nasho[.]office-docs[.]net',
'uxuyar[.]filesholders[.]com'); // Please remove the brackets '[ ]' before running the AHQ
DeviceNetworkEvents
| where RemoteUrl has_any (ioc_domains)

 

 

 

Additional resources:
We strongly recommend reviewing our blog post titled “From Cookie Theft to BEC: Attackers Use AiTM Phishing Sites as Entry Points to Further Financial Fraud” (https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/). This blog offers in-depth insights into the typical Tactics, Techniques, and Procedures (TTPs) employed in AiTM attacks leading to BEC campaigns. It serves as an invaluable resource for those looking to delve deeper into these TTPs and conduct TTP-based investigations. Furthermore, the blog provides a comprehensive list of quality indicators and AHQs that can significantly aid in your investigative efforts.

 

We hope this helps you with your task. If you have any questions or feedback, please let us know.