Deep Dive: The CodeStorm Adversary-in-the-Middle (AiTM) Campaign Targeting Microsoft 365

A sophisticated multi-organization phishing campaign, attributed to the CodeStorm threat actor, is currently targeting Microsoft 365 tenants. Unlike traditional credential harvesting, this campaign utilizes a highly evolved, tenant-aware Adversary-in-the-Middle (AiTM) kit. The infrastructure is characterized by a decoupled architecture: it employs rapidly rotating frontend domains to mask its presence, while routing all critical logic to a remarkably stable backend controller path, specifically /google.php.

One of the more subtle aspects of this campaign is the use of “conversation stuffing.” Analysts at ZeroBEC observed that the email lures—often themed around voicemails—deliberately append long, irrelevant historical email threads beneath a large block of whitespace. While a human user is unlikely to scroll through this dummy content, many automated Secure Email Gateways (SEGs) ingest the entire thread. This technique tricks scanners into misclassifying the phishing attempt as a low-risk “thread hijack” or a legitimate reply, effectively lowering the message’s overall threat score.

From a technical standpoint, the kit excels at separating its delivery scale from its core protocol. The frontend domains rotate across various Top-Level Domains (TLDs) and randomized hosts. To track victims, the kit passes identity data through URL parameters or fragments (such as e= tokens or Base64-encoded fragments). By utilizing URL fragments, the attackers ensure that sensitive victim identifiers avoid server-side logs and standard telemetry pipelines, making it difficult for defenders to build reliable detection patterns based on static parameters.

The initial landing page is heavily fortified. The first-stage HTML enforces a Cloudflare Turnstile challenge to weed out automated bots. Furthermore, the script implements aggressive anti-analysis measures: it probes for navigator.webdriver, detects tools like Burp Suite or PhantomJS, disables common Developer Tools shortcuts, and employs a “debugger timing trap.” If an analyst attempts to inspect the page, the timing discrepancy triggers a redirect to a legitimate-looking Microsoft encryption URL, effectively leading the researcher into a dead end.

Once a user passes these gates, a second-stage bootstrapper—identified as bootstrappp.min.js—is loaded from third-party object storage (observed on Tencent Cloud). This script maintains a consistent connection to the backend /google.php controller.

The CodeStorm Attack Flow: Intelligence-Driven Phishing

Static and runtime analysis reveals that the kit operates on a strict “action contract” via the backend. The protocol uses specific do= commands to manage the lifecycle of the attack:

• do=check: Performs identity discovery and home-realm discovery.
• do=login: Submits captured credentials.
• do=verify: Initiates specific Multi-Factor Authentication (MFA) workflows.
• checkVerify: Relays the intercepted MFA codes back to the attacker.

What sets this kit apart is its tenant-awareness. When the do=check command is issued, the kit performs Microsoft-style home-realm discovery. It identifies whether the victim belongs to a managed M365 tenant, a federated environment, or a GoDaddy-managed Microsoft 365 instance. This allows the phishing UI to dynamically adapt to the victim’s specific login configuration, providing a seamless and highly convincing experience that circumvents the “one-size-fits-all” look of traditional phishing pages.

The kit’s capabilities extend to a full MFA bypass arsenal, including support for Authenticator push notifications, OTP, SMS, voice calls, and even Hotmail recovery flows. Most importantly, the backend doesn’t just harvest data—it actively replays it. In controlled testing, credentials submitted via do=login resulted in real-time sign-in failures (such as ErrorCode 50126) within the victim’s Entra ID logs. These replay attempts originate from the kit’s own IP addresses and use normalized browser user-agents, proving that the kit is performing live, automated validation of stolen credentials.

Defensive Strategies and Hunting Leads

Because the attacker’s infrastructure is so fluid, defenders should shift their focus from blocking static domains to identifying protocol-level indicators. Key detection signals include:

• Cross-site POST requests to /google.php containing do=check or do=login payloads.
• The presence of Cloudflare Turnstile on suspicious landing pages.
• JavaScript patterns associated with analysis evasion (e.g., debugger timing traps and navigator.webdriver probes).
• Email bodies containing significant whitespace followed by unrelated, “stuffed” conversation threads.

For proactive threat hunting, security teams should correlate phishing-click events with anomalous authentication patterns, specifically looking for OfficeHome sign-in failures (50126), unexpected geographic MFA prompts, or unauthorized OAuth token grants immediately following a suspected click.

This technical profile complements broader research into similar threats, such as Microsoft’s research into Tycoon2FA and various analyses by Sekoia, Darktrace, and Huntress regarding device-code phishing. Understanding the specific /google.php contract provides a crucial layer of visibility into the CodeStorm operational methodology.