What happened
Attackers are abusing legitimate Microsoft 365 accounts to scale a phishing operation known as CodeStorm.
Instead of relying only on fake sender infrastructure, the attackers hijack real Microsoft 365 accounts and use them to send phishing emails from trusted identities. Because the messages come from active Microsoft 365 accounts, they can pass sender authentication checks such as SPF, DKIM, and DMARC, increasing the chance that the emails reach inboxes.
The phishing emails mimic Microsoft voicemail notifications. They include a formatted layout, call duration, reference ID, and a button labeled as a voicemail portal using Microsoft branding. Below the visible message, the phishing kit appends a long block of dummy historical email thread content to confuse automated scanning systems and make the email look like a low-risk business thread.
Researchers at ZeroBEC found that CodeStorm has evolved to include tenant-aware Microsoft 365 credential replay. The kit does not only collect passwords. It actively replays submitted credentials against Microsoft’s live identity infrastructure in real time, mimicking legitimate sign-in behavior to support MFA bypass attempts.
Once a victim clicks the link, they reach a landing page protected by Cloudflare Turnstile, which helps filter out automated scanners. The page also checks for browser developer tools and automation signals. If suspicious behavior is detected, the victim is redirected to a legitimate Microsoft URL, making the page appear harmless.
The backend infrastructure supports the full Microsoft MFA workflow, including Authenticator push, SMS one-time codes, voice calls, and Hotmail recovery codes. When a victim submits credentials, the phishing kit replays them against Microsoft and generates a genuine Entra sign-in failure in the victim’s tenant logs.
Defenders may see these failed sign-ins from unexpected U.S.-based locations within seconds of a phishing click. Follow-on signs of compromise can include new inbox rules, unusual OAuth grants, MFA prompts from unfamiliar locations, and successful sign-ins from IPs previously tied to failure events.
Who is affected
Organizations using Microsoft 365 are affected, especially those whose users may receive phishing emails from compromised but legitimate Microsoft 365 accounts.
The campaign is particularly dangerous for organizations that rely heavily on sender reputation, SPF, DKIM, and DMARC checks to block phishing. Because the emails are sent from real Microsoft 365 accounts, they may appear more trustworthy to both users and automated security tools.
Users who receive voicemail-themed phishing emails are directly targeted. If they submit credentials and complete MFA prompts, attackers may be able to take over accounts, create inbox rules, grant OAuth access, or perform additional activity inside the tenant.
Why CISOs should care
CodeStorm shows how phishing operations are moving beyond basic credential harvesting. The kit can replay credentials against Microsoft’s identity infrastructure in real time and support multiple MFA workflows, making it more dangerous than static phishing pages.
For CISOs, the abuse of legitimate Microsoft 365 accounts is especially important. Sender authentication is useful, but it does not prove that a message is safe when the sending account itself has been compromised. Security teams need behavior-based detection that considers sender anomalies, message structure, post-click telemetry, and identity events together.
The campaign also reinforces the importance of monitoring Microsoft Entra logs. A phishing click may be followed almost immediately by failed sign-ins from unexpected locations, MFA prompts, suspicious OAuth grants, inbox rule creation, or successful sign-ins from infrastructure previously associated with replay attempts.
3 practical actions
- Correlate email anomalies with identity telemetry: CodeStorm uses compromised Microsoft 365 accounts, voicemail lures, dummy thread stuffing, and real-time credential replay. CISOs should connect email security events with Entra sign-in logs, MFA activity, OAuth grants, and inbox rule changes to detect account takeover attempts earlier.
- Hunt for suspicious Entra sign-in failures after phishing clicks: The kit can generate genuine Microsoft sign-in failures when it replays submitted credentials. Security teams should prioritize OfficeHome sign-in failures with error code 50126, especially when they occur shortly after a phishing click from locations outside a user’s normal geography.
- Monitor for post-compromise mailbox and OAuth activity: Follow-on indicators include new inbox rules, unusual OAuth grants, MFA prompts from unfamiliar locations, and successful sign-ins from IPs previously tied to failure events. Organizations should alert on these behaviors and revoke suspicious sessions, tokens, and app grants quickly.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.