CodeStorm Phishing Kit Abuses Compromised M365 Accounts to Bypass Email Security and MFA
Hackers are using compromised Microsoft 365 accounts to power the CodeStorm phishing kit, which bypasses SPF, DKIM, and DMARC and replays credentials against Microsoft's live identity infrastructure to defeat MFA.
A sophisticated phishing operation known as CodeStorm is leveraging compromised Microsoft 365 accounts to send highly convincing voicemail-themed lures that bypass traditional email security controls. According to a report from ZeroBEC shared with Cyber Security News, the kit uses real M365 identities as trusted sending platforms, allowing malicious emails to pass SPF, DKIM, and DMARC authentication checks and land directly in victims' inboxes.
The attack begins with an email that mimics a Microsoft voicemail notification, complete with a call duration, reference ID, and an "OPEN VOICEMAIL PORTAL" button branded with the Microsoft logo. Below the visible message, the kit appends a long block of dummy historical email thread content designed to confuse automated scanning engines into classifying the message as a low-risk business thread rather than a phishing lure. The From, To, and Return-Path headers are all identical, a key indicator defenders can use to identify the campaign.
What sets CodeStorm apart from typical credential-harvesting kits is its tenant-aware credential replay capability. When a victim clicks the link, they land on a page protected by a Cloudflare Turnstile challenge that filters out automated scanners. The landing page also probes for browser developer tools and automation signals, and measures how long a debugger statement takes to execute. If anything suspicious is detected, the page redirects to a legitimate Microsoft URL.
Once past the anti-analysis layer, the kit performs live home-realm discovery against Microsoft's real identity infrastructure. The backend controller communicates through a series of actions: do=check for identity discovery, do=login for credential submission, and do=verify to trigger MFA. The do=login action replays submitted credentials against Microsoft in real time, producing a genuine Entra sign-in failure with error code 50126 in the victim's tenant logs. This allows attackers to bypass multi-factor authentication by supporting Authenticator push, SMS one-time codes, voice calls, and Hotmail recovery codes.
The campaign's infrastructure rotates frontend domains while keeping a stable backend controller hidden under the path /google.php. Indicators of compromise include domains such as efficientplatforms[.]de and 918ahoaurduaod[.]com, with backend hosts like gnjh.scalableinfrastructure[.]de. The kit also abuses trust-redirect domains including meet.google[.]com/linkredirect and adservice.google.com[.]ph to ferry victims to the filter page.
ZeroBEC researchers outlined key detection signals for defenders. On the email layer, security teams should watch for messages with identical From, To, and Return-Path headers combined with hidden whitespace blocks. In Microsoft Entra, teams should prioritize hunting for OfficeHome sign-in failures carrying error code 50126, particularly when clustered shortly after a phishing-click event from source IPs outside the user's expected geography. Follow-on signs of compromise include new inbox rules, unusual OAuth grants, and MFA prompts from unfamiliar locations.
The CodeStorm campaign represents an evolution in phishing-as-a-service operations, where attackers no longer need to build fake infrastructure from scratch. By hijacking real M365 accounts and replaying credentials against Microsoft's live systems, they dramatically increase the success rate of their attacks while making detection significantly more challenging for defenders.