New PaaS Platform “FlowerStorm” Attacking Microsoft 365 Users

A new phishing-as-a-service (PaaS) platform called “FlowerStorm” has emerged, targeting Microsoft 365 users. This platform has quickly gained traction following the unexpected disruption of its predecessor, Rockstar2FA, in November 2024.

Rockstar2FA, an updated version of the DadSec phishing kit, suffered a partial infrastructure collapse on November 11, 2024.

Sophos researchers Sean Gallagher and Mark Parsons noted that many of the service’s pages became unreachable, likely due to technical failures rather than law enforcement action.

FlowerStorm, which first appeared in June 2024, has swiftly filled the void left by Rockstar2FA. The new platform shares several features with its predecessor, including advanced evasion mechanisms, a user-friendly panel, and various phishing options.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Like Rockstar2FA, FlowerStorm employs adversary-in-the-middle (AiTM) techniques to intercept user credentials and session cookies, effectively bypassing multi-factor authentication protections. The platform uses phishing portals that mimic legitimate Microsoft login pages to harvest credentials and MFA tokens.

Both platforms utilize similar domain registration and hosting patterns, with heavy use of .ru and .com domains and Cloudflare services. FlowerStorm has adopted a botanical theme for its operations, as evidenced by the use of plant-related terms like “Flower,” “Sprout,” “Blossom,” and “Leaf” in its HTML page titles.

Rockstar2FA & FlowerStorm Detections (Source: Sophos)

Sophos’ telemetry reveals that approximately 63% of organizations and 84% of users targeted by FlowerStorm are based in the United States. The most affected sectors include services (33%), manufacturing (21%), retail (12%), and financial services (8%).

To protect against these sophisticated phishing attacks, experts recommend using multi-factor authentication with AiTM-resistant FIDO2 tokens, deploying email filtering solutions, and using DNS filtering to block access to suspicious domains.

The rapid rise of FlowerStorm underscores the persistent threat posed by phishing-as-a-service platforms. As cybercriminals continue to evolve their tactics, organizations, and individuals must remain vigilant and adopt robust security measures to safeguard their Microsoft 365 accounts and sensitive information.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.