{
	"id": "ca54f7b7-de21-4288-aef5-252eb1637728",
	"created_at": "2026-04-06T00:06:46.738899Z",
	"updated_at": "2026-04-10T13:12:51.726122Z",
	"deleted_at": null,
	"sha1_hash": "344d3b9e4f6ad182adb5c4f3ab5a816e27dd4c02",
	"title": "Analysing a Widespread Microsoft 365 Credential Harvesting Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1900569,
	"plain_text": "Analysing a Widespread Microsoft 365 Credential Harvesting\r\nCampaign\r\nBy Joshua Penny Senior Threat Intelligence Analyst\r\nArchived: 2026-04-05 14:40:56 UTC\r\nBridewell Cyber Threat Intelligence (CTI) has identified a widespread ongoing credential harvesting campaign\r\nthat has been ongoing since July.\r\nThe threat actors, believed to be connected to Storm-1575, are utilising the Dadsec platform to conduct\r\nwidespread phishing of global organisations to steal Microsoft 365 credentials. The threat actors are using Cyber\r\nPanel, an open-source web development panel, hundreds of Domain Generated Algorithm (DGA) domains that\r\nare created daily to host credential harvesting pages.\r\nDGA is a technique used by malicious actors to rapidly generate multiple domain names that can be used to host\r\nmalicious content, such as malware, phishing sites, and command-and-control servers. It is used to evade\r\ndetection and to ensure that their malicious content is not blocked by security controls.\r\nThe threat actors are using a variety of lures to redirect victims via services such as Bing, Google AMP and\r\nMicrosoft Customer Voice before landing them on credential harvesting pages. The infrastructure associated with\r\nthis activity is sat behind Cloudflare, a technique used to mask the origin of the malicious servers and evade\r\ndetection by security tooling.\r\nOur  Cyber Threat Intelligence team has been working with our  Security Operations Centre (SOC) on two\r\nincidents that began our initial investigations. After conducting research into this campaign, Bridewell CTI\r\nidentified over 500 DGA domains, with up to 900 associated subdomains all generated since July daily as part of\r\nthis activity. Utilising this information, we have been able to identify historical successful connections between\r\nother Bridewell customers which had gone unidentified by conventional security tooling. We have also ensured\r\nthat affected customers had passwords reset to prevent account takeover.\r\nWe were also able to uncover additional infrastructure belonging to the Dadsec platform and threat actors utilising\r\nthis toolset in campaigns. Based on the description provided by Microsoft and the findings in this report, we\r\nassess with a high degree of confidence that this campaign matches the cluster of activity associated with\r\nStorm-1575.\r\nWhilst we attribute the campaign to the same cluster, it should be noted that any malicious threat actor with\r\nsufficient intent can purchase and run a campaign through the Dadsec platform for very little sophistication and\r\nfinancial investment.\r\nThe campaign is ongoing and we will share all identified IOCs in this report. Furthermore, we are sharing the\r\nprocess and analysis steps taken by our CTI team when supporting their IR teams on customer engagements.\r\nhttps://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign\r\nPage 1 of 20\n\nAdditionally, CTI has worked closely with the teams at ANY.RUN, who collaborated with Bridewell to improve\r\ndetection of this campaign within their platform as well as contribute to this report.\r\nBy consuming a threat intelligence service, you should expect that intrusion analysis is being performed by the\r\nthreat intelligence team. This will ensure they are producing actionable insights and intelligence from attempted\r\nand successful attacks against your organisation. Bridewell CTI uses a blend of automated and manual analysis\r\nprocesses to keep you informed and protected against credible threats to your business and sector.\r\n2. Initial Incidents\r\nOn the 28th and 29th of September 2023, we observed two of our customers, working in different sectors,\r\nreceiving suspicious emails that ultimately directed users to fake Microsoft 365credential harvesting pages. In one\r\ninstance, the organisation received over 500 emails with 25 being successfully delivered. \r\nFigure 1. Fake Microsoft 365 Credential Harvesting Page\r\n2.1 Indicators\r\nURL: 1e0yq0dnmzxs8ato15f0[.]15cl6[.]ru\r\nURL: xmpmczxnljxtr4opmtd7[.]w6u56[.]ru\r\nBased on the indicators from each incident, our Security Analysts assessed that the domains in both may be\r\nconnected. Comparing the two indicators above, we noted the following traits:\r\nBoth domains have a .RU TLD.\r\nThe domains are 5 alphanumeric characters long.\r\nThe subdomains 20 alphanumeric characters long.\r\nhttps://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign\r\nPage 2 of 20\n\nFigure 2.Example infection chain\r\n1. User receives an email containing a variety of lures to share a file, which includes typically a HTML file\r\nattachment.\r\n2. When the user clicks the link, the browser connects to a number of legitimate services abused for\r\nredirecting (e.g. Bing, Google AMP, Microsoft Customer Voice).\r\n3. The user is redirected to the threat actor infrastructure hosted behind Cloudflare. The website presents the\r\nturnstile captcha to validate a user session.\r\n4. The user is then presented with a fake Microsoft 365 page with user email pre-populated including their\r\ncompany logo.\r\n5. The kit supports MFA and will run the user through the process, meanwhile an API acts as the user to\r\nmiddle man the challenge responses and issue user credentials to the threat actor via the web panel.\r\nExample infection chains can be found here (note: whilst possible, no abuse of the Amazon r2.dev  domain was\r\nobserved during our research): https://twitter.com/anyrun_app/status/1709193919118844267\r\n3. CTI Investigation\r\nTypes of questions the IR team wanted to understand:\r\nWas there a connection between our customers?\r\nWere there other similar phishing emails delivered to our customers?\r\nDo we have any more information about this campaign?\r\nCTI began the investigation with these questions in mind as we began two strands of work:\r\n1. An initial internal hunt in our customer environments based on visible characteristics from known IOCs\r\n2. Uncover additional infrastructure or domains based on open-source research to uncover more indicators\r\nand context\r\n4. The Campaign\r\nBased on the information provided by the IR team, we can use information about the domains, combined with\r\nobserved technologies utilised by the threat actors to uncover additional infrastructure. By analysing the URLs\r\nwithin the ANY.RUN sandbox, we were able to identify the use of Cyber Panel, an open-source web hosting\r\nplatform.\r\nhttps://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign\r\nPage 3 of 20\n\nFigure 3. CyberPanel page on hosting infrastructure\r\n4.1 Additional Infrastructure\r\nPassive internet scanners are an incredibly good way of pivoting on identifiable characteristics for known bad\r\ninfrastructure in order to identify servers based on these characteristics. We began by understanding what the\r\nknown indicators from the incident looked like in the tool FOFA:\r\nFigure 4. FOFA result for known indicator\r\nBased on the known infection chain, we can see that the domains are sat behind Cloudflare. This can be\r\nproblematic in that this is an effective mechanism for masking the true destination of the malicious infrastructure.\r\nHowever, we were able to observe the use of the open-source hosting framework, CyberPanel. This gives us an\r\nindication of the technologies potentially used by the threat actors.\r\nPivoting off known information regarding Cloudflare, CyberPanel and .RU TLD we can return additional\r\ninfrastructure:\r\nhttps://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign\r\nPage 4 of 20\n\nFigure 5. Wider search for known indicators using FOFA\r\nWhilst not exhaustive, the above search gives us an indication of the size and scale of the potential campaign and\r\nprovides our security team additional indicators in which to search for, building from the new information.\r\nWhen we begin to analyse the domains we’ve collected further from FOFA, we can begin to identify additional\r\ncharacteristics of the domains involved in this campaign. The graphs below visualise some of those\r\ncharacteristics:\r\nThe domains are registered with R01-RU and MAXNAME.\r\nThe domains host a number of subdomains\r\nThe sites are using both Let’s Encrypt, R1 and Google Trust Services LLC certificates.\r\nhttps://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign\r\nPage 5 of 20\n\nFigure 6. Correlation between domains and WHOIS  (Group-IB Threat Intelligence Platform)\r\nGraph showing the connection between domain Registrars\r\nhttps://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign\r\nPage 6 of 20\n\nFigure 7. Correlation between WHOIS records and Registrars\r\nWhen enriching our results further based on known features and passive DNS, we are able uncover additional\r\ndomains. In total, at the time of analysis, we identified ~500 domains containing 900 subdomains believed to be\r\nlinked with this campaign.\r\nBased on WHOIS information, we can use the creation date of the domains to help understand when the campaign\r\nbegan and how active the ongoing campaign is:\r\nhttps://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign\r\nPage 7 of 20\n\nFigure 8. Timeline of new domain creation dates by month\r\nThe threat actor is actively generating hundreds of new domains every month to support his activity. A recent\r\narticle by Infoblox details are new shift by threat actors to utilise RDGA’s instead of DGA’s. Whilst we get to\r\ngrips with the new definitions, it appears that the frequent registration of new domains by threat actors to evade\r\ndetection matches what we are seeing here and by other criminals such as malware authors. The goal of threat\r\nactors to utilise RDGA’s is to ensure that each new domain is considered clean by security tooling as and when the\r\nthreat actors deploy them in campaigns.\r\nA full list of domains identified by Bridewell can be found at the following link: https://github.com/Bridewell-CTI/IOCs/blob/main/2023/10/Storm-1575.txt\r\n4.2 Analysing known indicators\r\nGoing a step further, we decided to further enrich and analyse our known indicators to help understand more about\r\nthe campaign, such as:\r\nWhat lures are the threat actors using?\r\nWhat file types are being used?\r\nHow many samples are being submitted per day?\r\nWhat and how many targets have been affected?\r\nThe following image demonstrates the number of samples submitted to Virus Total that communicate with our\r\nknown domains:\r\nhttps://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign\r\nPage 8 of 20\n\nFigure 9. Graph showing VT file submissions by subdomain\r\nWhilst this indicates that a number of the domains have been utilised in active campaigns, it shows that a number\r\nof the remaining domains either haven’t had samples submitted by victims/ targets, or, due to their young age,\r\nhave yet to be utilised.\r\n4.2.1 What lures are the threat actors using?\r\nFigure 10. Closer inspection of VT submitted files with subdomains\r\nhttps://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign\r\nPage 9 of 20\n\nBy extracting the subject information, we are able to identify the types of lures that the threat actors are using in\r\nthis campaign. By grouping on keywords we were able to identify the following themes:\r\nAdvanced Payment or Payment Receipt/Confirmation\r\nSecure or Scanned Documents\r\nInvoices\r\nEmployee Handbook ({Organisation})\r\nVM/Audio Recordings\r\nImportant Updates\r\n2FA or MFA setup/update\r\n4.2.2 How long has the campaign been going on?\r\nFigure 11. File submission dates by month\r\nWhen comparing file submission dates, we can see that there is a slight delay between domain creation and the\r\nactivity beginning and being submitted for analysis in Virus Total. Based on the current available information, it's\r\nclear that the campaign is ongoing.\r\n4.2.3 What file types are they using?\r\nBy collecting this information from Virus Total, we can see that the majority of samples in this campaign\r\ncontained some form of HTML attachment that was used to initiate the infection chain.\r\nAttachment Type Count\r\nDOCX 9\r\nHTML 800\r\nJAVASCRIPT 15\r\nhttps://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign\r\nPage 10 of 20\n\nPDF 144\r\nTEXT 16\r\n4.2.3 What sectors have been affected?\r\nBased on analysis of the base64 encoded email addresses populated in the phishing URLs, CTI identified\r\norganisations operating in over 30 different sectors. The most common were Financial Services, Manufacturing,\r\nLocal Government and Energy. Using the organisation head office information 27 organisations of the 54\r\ncountries identified were based in the United States and 7 were within the United Kingdom. \r\nBased on this information, we can assess with a high degree of confidence that targeting is directed at Western\r\ncountries. We can also assess with high confidence that targeting is not directed at a specific sector or victim\r\nprofile.\r\nFigure 12. Pie Chart showing affected sectors\r\n5. Attribution\r\nCredential harvesting is nothing new and it's utilised by many threat actors. Fortunately, we were provided a key\r\npiece of information that was relevant and interesting to this campaign by our SOC. Microsoft Threat Intelligence\r\nlinked an initial domain to activity conducted by Storm-1575.\r\n5.1 Who are Storm-1575?\r\nhttps://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign\r\nPage 11 of 20\n\nAccording to Microsoft:\r\n“Microsoft has identified Storm-1575 as a cluster of activity using known infrastructure for several Phishing as a\r\nService (PhaaS) campaigns on the Dadsec platform. The Dadsec platform allows cybercriminals to launch\r\nphishing campaigns without developing the phishing websites themselves. These websites are designed to look\r\nlike legitimate web portals and are used to harvest user credentials and authentication tokens. This alert triggers\r\nupon a network connection to a domain affiliated with a Dadsec phishing page managed by a developer that\r\nMicrosoft tracks as Storm-1575.”\r\nBased on the description provided by Microsoft and the findings in this report, Bridewell assess with a high\r\ndegree of confidence that this campaign matches the cluster of activity associated with Storm-1575. Whilst\r\nwe attribute the campaign to the same cluster, it should be noted that any malicious threat actor with sufficient\r\nintent can purchase and run a campaign through the Dadsec platform for very little sophistication and financial\r\ninvestment.\r\n5.2 What is Dadsec?\r\nAs Microsoft describes, the Dadsec platform provides threat actors with the tools to conduct phishing campaigns.\r\nCTI first discovered the site dadsec[.]pw which lists a number of tools for download, however, only the “Office\r\nLogin Checker 2023” file is available for download. \r\nFigure 13. Dadsec webpage\r\nPer the following Telegram channel “dadsec_pw”, this tool is made freely available by the developer. The Dadsec\r\nchannel was first created in January 2023 and provides users with updates to the platform.\r\nhttps://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign\r\nPage 12 of 20\n\nFigure 14. Dadsec Telegram channel\r\nOn June 17th, the developers posted that they have launched their new website, dadsec[.]store, whereby users can\r\npurchase the “Office 365 private page” from their store. The also released a new Telegram channel on 8th August\r\nto support customers of the new store. This developer activity coincides with our assessment that the campaign\r\nbegan in July, just after this development.\r\nOn the Dadsec store Telegram channel the developer takes users through how the phishing kit works, including\r\ngrabbing and using Cookies to login in to compromised Microsoft 365 accounts, examples of the different themes\r\nas well as access and management to the phishing panels:\r\nhttps://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign\r\nPage 13 of 20\n\nFigure 16. Dadsec Panel\r\nFigure 17. Dadsec harvesting page example\r\n5.2.1 Dadsec Store\r\nThe new Dadsec store website, dadsec[.]store, is hosted on Namecheap in the US and is also protected by\r\nCloudflare captcha on the login portal. \r\nhttps://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign\r\nPage 14 of 20\n\nFigure 18. Dadsec Store login panel\r\nOnce you’ve logged in to the portal, you are met with the following dashboard:\r\nFigure 19. Dadsec store page\r\nThe only item that can be purchased is the “OTT” Office 365 tool which can be activated once purchased for\r\n$500. Payment can be made via Bitcoin and PerfectMoney. The support provided on the platform takes you to the\r\nTelegram account “Mr sashu0x1”, which differs from the Telegram account “Dadsec Store”: \r\nFigure 20. Telegram account for “Mr sashu0x1”\r\nhttps://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign\r\nPage 15 of 20\n\nAdditionally, the developer behind Dadsec also created a YouTube account on June 8th\r\n with other instruction\r\nvideos:\r\nFigure 21. Dadsec YouTube Channel\r\n5.3 Linking Campaign infrastructure to Dadsec\r\nDuring analysis, we were able to single out backend infrastructure that hosted credential pages from domains\r\nlinked to this campaign.\r\nThe following IP addresses are involved in this campaign:\r\n95.216.158[.]157\r\n93.123.73[.]210\r\nCountry IP Address Host Organisation\r\nFI 95.216.158[.]157 www.6gdta4cfx7iibgg960im.7heob05.ru Hetzner Online GmbH\r\nBG 93.123.73[.]210 https://k68w0vrsnw3suiun72v9.zaq3.ru Verdina Ltd.\r\nBG 93.123.73[.]210 https://817x9guzn5fhx2h2nsze.2kd5.ru Verdina Ltd.\r\nBG 93.123.73.210 https://www.h6thcl5jiwvvx030mvxk.f3u1.ru Verdina Ltd.\r\n5.3.1 Analysing the backend servers\r\nhttps://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign\r\nPage 16 of 20\n\nFigure 22. Inspecting the backend servers for open services\r\nBy analysing the open ports and banners for these IP addresses we can gather additional information.\r\n93.123.73[.]210 is running a number of open ports and services. Based on the following screenshot we can see\r\nfrom the Cyber Panel that the server is running LiteSpeed and also has SMTP, DNS and FTP ports open.\r\nAdditionally, we see the domains and subdomains on ports 80 and 443 as well as portmapper on port 111.\r\nThe same ports and services were running on  however, the SMTP banner was slightly different and didn’t\r\nreference Dadsec, instead the following string was observed “three.enb6lvl.site”.\r\nLooking at the SMTP port 25, we can check the banner information. The notable observation is the reference to\r\nDadsec, allowing us to connect this back to the Dadsec platform. This information is also visible on port 465 for\r\nSMTPS:\r\nFigure 23. SMTP service banner\r\n5.3.2 Hosting providers\r\nHetzner Online GmbH and Verdina Ltd. appear to be two hosting providers of choice for the threat actors. These\r\nhosting providers provide automated deployment of tools such as Cyber Panel, making them an obvious choice for\r\nthe threat actors.\r\nhttps://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign\r\nPage 17 of 20\n\n5.3.3 Hunting for Dadsec \r\nNow that we know some SMTP mail servers reference Dadsec, we can use this information to uncover other\r\npotential mail servers utilised by the threat actors in this campaign:\r\nFigure 24. Image hunting for Dadsec IP addresses\r\nAS_Organisation IP Port Country\r\n       \r\nIws Networks LLC 91.223.82[.]108 25 AE\r\nIws Networks LLC 91.223.82[.]39 465 AE\r\nIws Networks LLC 91.223.82[.]108 465 AE\r\nIws Networks LLC 91.223.82[.]39 587 AE\r\nIws Networks LLC 91.223.82[.]108 587 AE\r\nSIA VEESP 94.242.61[.]249 587 RU\r\nIws Networks LLC 91.223.82[.]39 25 AE\r\nSIA VEESP 94.242.61[.]249 25 RU\r\nScalaxy B.V. 37.252.13[.]62 587 NL\r\nScalaxy B.V. 37.252.13[.]62 465 NL\r\nScalaxy B.V. 37.252.13[.]62 25 NL\r\nhttps://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign\r\nPage 18 of 20\n\nThe search above identifies other infrastructure utilising the Dadsec platform and may be linked to this campaign.\r\n6. Collaborating with ANY.RUN\r\nDuring our research, CTI identified a post by a security researcher working at ANY.RUN, highlighting a regular\r\nexpression query to capture phishing domains that matched the domains that we had observed. We reached out to\r\nthem in order to share findings and collaborate to understand the extent of this campaign.\r\nANY.RUN had the following comments:\r\n“After analyzing the structure of the phishing campaign domains that you provided, we hypothesized that an\r\nautomated domain name generation system was being used, similar to Domain Generation Algorithms (DGAs),\r\nwhich we sometimes see in malware examined by our analytics department. This was confirmed by the uniform\r\nfrequency distribution of the alphabet characters that make up domain names.\r\nDespite this challenge, we were determined to protect our customers. To that end, we created network rules for the\r\nSuricata IDS (Intruder Detection System), a system for detecting unwanted network activity used in\r\nhttp://ANY.RUN. These rules rely on regular expressions to distinguish suspicious sequences of domain name\r\ncharacters from the domain names generated by ordinary users. In this case, the “letter-digit-letter” and “digit-letter-digit” character combinations, as well as the lengths of domains and subdomains, played an important role.\r\nBy implementing these rules in our service, we were able to enhance its detection capabilities and discover the\r\nsignificant scale of the malicious campaign. As a result, we increased the visibility of phishing public submissions\r\nto our users by about 2x, identifying approximately 650 phishing alerts across the samples submitted by our users\r\nper day.”\r\nA number of examples are provided below:\r\nhttps://app.any.run/tasks/60c8ef7a-c89f-435d-96cc-f6a1832a4095/\r\nhttps://app.any.run/tasks/8fc0327e-2122-442a-a7b1-becce5b39fe0/\r\nhttps://app.any.run/tasks/f3330f01-65cd-4353-8af5-e4f14b013d6f/\r\nMany thanks to Jane for collaborating with us on this research and providing insight and support, including the\r\ngeneration of new detection content through the ANY.RUN platform.\r\n7. Action Taken\r\nBy uncovering this dataset and information, we were able to:\r\nProvide technical intelligence back to the SOC for retrospective searches within the timescale of the\r\ncampaign in our customer environments. This uncovered additional successful connection network events\r\nfrom two more of our customers, allowing us to reset user accounts. This allowed us to identify missed\r\nalerts from security tooling.\r\nCreate analytics for our security tooling to alert on connections to new infrastructure linked to this platform\r\nand campaign, further protecting our customers in real-time.\r\nhttps://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign\r\nPage 19 of 20\n\nAfter conducting our analysis we are able to answer a number of the questions posed by our IR teams at the\r\nbeginning of the incident:\r\n7.1 Was there a connection between our customers?\r\nWe don’t believe there was any direct connection between Bridewell’s customers, a broad spectrum of sectors are\r\naffected by this campaign.\r\n7.2 Were there other similar phishing emails delivered to our customers?\r\nYes, other customers were affected by this campaign. At the time of receiving the phishing emails, no security\r\nproducts were detecting the links as phishing however, no compromise was detected, and user accounts were reset\r\nas a precaution.\r\n7.3 Do we have any more information about this campaign?\r\nWe now know this campaign is utilising the Dadsec platform and can potentially be linked to a threat actor called\r\nStorm-1575 by Microsoft. The campaign is ongoing and generating new domains and VT submissions every\r\nmonth. CTI has enabled the SOC to conduct retro hunts and generate new detections moving forward.\r\n8. Takeaway\r\nIntrusion analysis is a valuable tool for any security team focused on threat intelligence. Intrusion analysis models\r\nallow those tasked with generating cyber threat intelligence to quickly analyse large amounts of incoming data and\r\nestablish clear linkages between various pieces of threat information. The outcome for your security teams is a\r\nbetter understanding of adversary intents and strategies, which enables your business to develop proactive\r\ncountermeasures against new and emerging cyber threats.\r\nBy consuming a threat intelligence service, you should expect that intrusion analysis is being performed by the\r\nthreat intelligence team. This will ensure they are producing actionable insights and intelligence from attempted\r\nand successful attacks against your organisation. Bridewell CTI uses a blend of automated and manual analysis\r\nprocesses to keep you informed and protected against credible threats to your business and sector.\r\nSource: https://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign\r\nhttps://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign"
	],
	"report_names": [
		"analysing-widespread-microsoft365-credential-harvesting-campaign"
	],
	"threat_actors": [
		{
			"id": "9b1d173a-51f2-4857-833e-62fbacf044d9",
			"created_at": "2024-02-02T02:00:04.094591Z",
			"updated_at": "2026-04-10T02:00:03.569152Z",
			"deleted_at": null,
			"main_name": "Storm-1575",
			"aliases": [],
			"source_name": "MISPGALAXY:Storm-1575",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434006,
	"ts_updated_at": 1775826771,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/344d3b9e4f6ad182adb5c4f3ab5a816e27dd4c02.pdf",
		"text": "https://archive.orkl.eu/344d3b9e4f6ad182adb5c4f3ab5a816e27dd4c02.txt",
		"img": "https://archive.orkl.eu/344d3b9e4f6ad182adb5c4f3ab5a816e27dd4c02.jpg"
	}
}