- Researchers said Rockstar2FA went silent in November 2024
- But soon after, a new PaaS emerged, with a partially overlapping infrastructure.
- The new PaaS is called FlowerStorm and is aimed at Microsoft365 accounts
Cybersecurity researchers at Sophos have warned that a new phishing-as-a-service (PaaS) tool has emerged, allowing threat actors to easily search for people’s Microsoft 365 credentials.
This tool is called FlowerStorm and could have emerged from the (defunct) Rockstar2FA, the company revealed, noting how in November, Rockstar2FA detections “suddenly went silent.”
The organization’s infrastructure was taken offline, at least in part, for reasons still unknown, but investigators do not believe this was the work of authorities.
Long live FlowerStorm?
Rockstar2FA was a PaaS platform designed to bypass two-factor authentication (2FA), primarily targeting Microsoft 365 accounts. It worked by intercepting login processes to steal session cookies, allowing attackers to access accounts without requiring credentials or verification codes. Through a simple interface and Telegram integration, threat actors who purchased a license could manage their campaigns in real time.
The new platform, which emerged in the weeks after Rockstar2FA’s silence, was named FlowerStorm by researchers. Many of its tools and features apparently overlap with those of Rockstar2FA, so Sophos speculates that it could be its (spiritual) successor.
The vast majority of targets chosen by FlowerStorm users (84%) are located in the United States, Canada, the United Kingdom, Australia and Italy, Sophos added.
Companies in the United States were the most attacked (60%), followed by Canada (8.96%). Overall, almost all (94%) of FlowerStorm’s targets were in North America or Europe, with the remainder falling in Singapore, India, Israel, New Zealand, and the United Arab Emirates.
The majority of victims belong to the service sector, that is, companies that provide engineering, construction, real estate, and legal services and consulting.
Defending against FlowerStorm is the same as any other phishing attack: use common sense and be careful with incoming emails.
