{
	"id": "610b1fd8-435d-4394-9523-28f451788807",
	"created_at": "2026-04-06T00:12:05.739133Z",
	"updated_at": "2026-04-10T03:33:22.621085Z",
	"deleted_at": null,
	"sha1_hash": "230938daf9640d6145ca08c1f8f846a17fc99ba6",
	"title": "Rewterz Threat Update - Microsoft Warns of Emerging Threat by Storm-0539 Behind Gift Card Frauds - Rewterz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 37878,
	"plain_text": "Rewterz Threat Update - Microsoft Warns of Emerging Threat by\r\nStorm-0539 Behind Gift Card Frauds - Rewterz\r\nPublished: 2023-12-18 · Archived: 2026-04-05 14:33:20 UTC\r\nSeverity\r\nHigh\r\nAnalysis Summary\r\nMicrosoft recently issued a warning of a rise in malicious activities from a new threat cluster tracked as Storm-0539 for various gift card fraud and theft campaigns using phishing via emails or SMS against retailers during the\r\nholiday shopping season. The end goal of these attacks is to distribute malicious links that redirect the targeted\r\nusers to adversary-in-the-middle (AiTM) phishing pages designed to steal credentials and session tokens.\r\nOnce access to an initial session has been obtained, Storm-0539 registers a device under their control for\r\nsecondary authentication prompts, gaining persistence in the environment, and bypassing multi-factor\r\nauthentication (MFA) by using the compromised identity. The foothold that is obtained behaves as a conduit used\r\nfor privilege escalation, lateral movement across the network, and gaining access to cloud resources to harvest\r\nsensitive information. They especially target gift card-related services for performing their fraudulent activities.\r\nStorm-0539 is also observed collecting emails, contact lists, and network configurations to launch additional\r\nattacks against the same targeted organizations. The adversary is hence described as a financially motivated threat\r\ngroup that has been active since at least 2021. They are known for performing extensive reconnaissance of their\r\nvictims to craft convincing phishing lures for credential and token theft and gain initial access.\r\nThe disclosure comes after Microsoft obtained a court order to seize the infrastructure of a cybercriminal group\r\nlinked to Vietnam tracked as Storm-1152 that was selling access to almost 750 million compromised Microsoft\r\naccounts and identity verification bypass tools. The company also warned about several threat actors exploiting\r\nOAuth applications to perform automated cybercrimes for financial gain, like Business Email Compromise\r\n(BEC), spam campaigns, phishing, and deploying virtual machines for mining cryptocurrency illegally.\r\nImpact\r\nIdentity Theft\r\nCredential Theft\r\nFinancial Loss\r\nRemediation\r\nAlways be suspicious about emails sent by unknown senders.\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-update-microsoft-warns-of-emerging-threat-by-storm-0539-behind-gift-card-frauds/\r\nPage 1 of 2\n\nNever click on links/attachments sent by unknown senders.\r\nEnsure that general security policies are employed including: implementing strong passwords, correct\r\nconfigurations, and proper administration security policies\r\nEnable multifactor authentication (MFA).\r\nEnable conditional access policies to block attacks that use stolen credentials.\r\nEnable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered\r\nprotection is necessary to secure vulnerable assets.\r\nSource: https://www.rewterz.com/rewterz-news/rewterz-threat-update-microsoft-warns-of-emerging-threat-by-storm-0539-behind-gift-card-fra\r\nuds/\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-update-microsoft-warns-of-emerging-threat-by-storm-0539-behind-gift-card-frauds/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.rewterz.com/rewterz-news/rewterz-threat-update-microsoft-warns-of-emerging-threat-by-storm-0539-behind-gift-card-frauds/"
	],
	"report_names": [
		"rewterz-threat-update-microsoft-warns-of-emerging-threat-by-storm-0539-behind-gift-card-frauds"
	],
	"threat_actors": [
		{
			"id": "eb317a88-9474-4329-90a0-ae7e632ac75b",
			"created_at": "2024-02-02T02:00:04.082914Z",
			"updated_at": "2026-04-10T02:00:03.557196Z",
			"deleted_at": null,
			"main_name": "Storm-0539",
			"aliases": [],
			"source_name": "MISPGALAXY:Storm-0539",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ead52dab-d2cb-44f4-a67a-56ffbc347b7e",
			"created_at": "2024-02-02T02:00:04.084899Z",
			"updated_at": "2026-04-10T02:00:03.560106Z",
			"deleted_at": null,
			"main_name": "Storm-1152",
			"aliases": [],
			"source_name": "MISPGALAXY:Storm-1152",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434325,
	"ts_updated_at": 1775792002,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/230938daf9640d6145ca08c1f8f846a17fc99ba6.pdf",
		"text": "https://archive.orkl.eu/230938daf9640d6145ca08c1f8f846a17fc99ba6.txt",
		"img": "https://archive.orkl.eu/230938daf9640d6145ca08c1f8f846a17fc99ba6.jpg"
	}
}