- Researchers say Rockstar2FA went silent in November 2024
- But soon a new PaaS emerged with partially overlapping infrastructure
- The new PaaS is called FlowerStorm, and it targets Microsoft 365 accounts
Cyber security researchers from sophos A new phishing-as-a-service (PaaS) tool has emerged that allows threat actors to easily hunt people’s Microsoft 365 credentials.
The company revealed that the tool, called FlowerStorm, may have emerged from the (resolved) Rockstar2FA, noting that detections of Rockstar2FA “suddenly went quiet” in November.
The group’s infrastructure was shut down, at least partially, for reasons that remain unclear, but researchers believe it was not the work of law enforcement.
Long live the flower storm?
Rockstar2FA is a PaaS platform designed to bypass factor two verify (2FA), mainly for Microsoft 365 accounts. It steals session cookies by intercepting login procedures, allowing attackers to access accounts without credentials or verification codes. Through a simple interface and Telegram integration, threat actors who purchase a license can manage their activities in real time.
The new platform comes after a few weeks of hiatus from Rockstar2FA, a developer known as FlowerStorm. Apparently, many of its tools and features overlap with Rockstar2FA, which is why Sophos speculates it could be its (spiritual) successor.
Sophos added that the vast majority of destinations selected by FlowerStorm users (84%) were located in the United States, Canada, the United Kingdom, Australia and Italy.
U.S. companies were most frequently targeted (60%), followed by Canadian companies (8.96%). Overall, almost all (94%) of FlowerStorm targets were in North America or Europe, with the rest falling to Singapore, India, Israel, New Zealand, and the United Arab Emirates.
Most of the victims were from the service industry, that is, companies providing engineering, construction, real estate, and legal services and consulting.
Defending against FlowerStorm is the same as defending against any other phishing attack – use common sense and be careful with incoming emails.