![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Fig1-sample-phishing-email.webp\")
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Fig2-sample-phishing-email.webp\")
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Fig3-sample-phishing-email.jpg\")
The email includes a link, or a PDF attachment containing one, claiming to take recipients to Booking.com. Clicking the link leads to a webpage that displays a fake CAPTCHA overlayed on a subtly visible background designed to mimic a legitimate Booking.com page. This webpage gives the illusion that Booking.com uses additional verification checks, which might give the targeted user a false sense of security and therefore increase their chances of getting compromised.<\/p>\n
The fake CAPTCHA is where the webpage employs the ClickFix social engineering technique to download the malicious payload. This technique instructs the user to use a keyboard shortcut to open a Windows Run window, then paste and launch a command that the webpage adds to the clipboard:<\/p>\n The command downloads and launches malicious code through mshta.exe<\/em>:<\/p>\n This campaign delivers multiple families of commodity malware, including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT. Depending on the specific payload, the specific code launched through mshta.exe<\/em> varies. Some samples have downloaded PowerShell, JavaScript, and portable executable (PE) content.<\/p>\n All these payloads include capabilities to steal financial data and credentials for fraudulent use, which is a hallmark of Storm-1865 activity. In 2023, Storm-1865 targeted hotel guests using Booking.com with similar social engineering techniques and malware. In 2024, Storm-1865 targeted buyers using e-commerce platforms with phishing messages leading to fraudulent payment webpages. The addition of ClickFix to this threat actor\u2019s tactics, techniques, and procedures (TTPs) shows how Storm-1865 is evolving its attack chains to try to slip through conventional security measures against phishing and malware.<\/p>\n The threat actor that Microsoft tracks as Storm-1865 encapsulates a cluster of activity conducting phishing campaigns, leading to payment data theft and fraudulent charges. These campaigns have been ongoing with increased volume since at least early 2023 and involve messages sent through vendor platforms, such as online travel agencies and e-commerce platforms, and email services, such as Gmail or iCloud Mail.<\/p>\n Users can follow the recommendations below to spot phishing activity. Organizations can reduce the impact of phishing attacks by educating users on recognizing these scams.<\/p>\n Check the sender\u2019s email address to ensure it\u2019s legitimate.<\/strong> Assess whether the sender is categorized as first-time, infrequent, or marked as \u201c[External]\u201d by your email provider. Hover over the address to ensure that the full address is legitimate. Keep in mind that legitimate organizations do not send unsolicited email messages or make unsolicited phone calls to request personal or financial information. Always navigate to those organizations directly to sign into your account.<\/p>\n Contact the service provider directly.<\/strong> If you receive a suspicious email or message, contact the service provider directly using official contact forms listed on the official website.<\/p>\n Be wary of urgent calls to action or threats.<\/strong> Remain cautious of email notifications that call to click, call, or open an attachment immediately. Phishing attacks and scams often create a false sense of urgency to trick targets into acting without first scrutinizing the message\u2019s legitimacy.<\/p>\n Hover over links to observe the full URL.<\/strong> Sometimes, malicious links are embedded into an email to trick the recipient. Simply clicking the link could let a threat actor download malware onto your device. Before clicking a link, ensure the full URL is legitimate. For best practice, rather than following a link from an email, search for the company website directly in your browser and navigate from there.<\/p>\n Search for typos.<\/strong> Phishing emails often contain typos, including within the body of the email, indicating that the sender is not a legitimate, professional source, or within the email domain or URL, as mentioned previously. Companies rarely send out messages without proofreading content, so multiple spelling and grammar mistakes can signal a scam message. In addition, check for very subtle misspellings of legitimate domains, a technique known as typosquatting. For example, you might see micros0ft[.]com<\/em>, where the second o<\/em> has been replaced by 0<\/em>, or rnicrosoft[.]com<\/em>, where the m<\/em> has been replaced by r<\/em> and n<\/em>.<\/p>\n Microsoft recommends the following mitigations to reduce the impact of this threat.<\/p>\n Microsoft Defender XDR customers can turn on attack surface reduction rules<\/a> to prevent common attack techniques:<\/p>\n Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.<\/p>\n Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender<\/a> to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.<\/p>\n Microsoft Defender Antivirus detects threat components as the following malware:<\/p>\n The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity:<\/p>\n Microsoft Defender for Office 365 detects malicious activity associated with this threat through the following alerts:<\/p>\n Security Copilot customers can use the standalone experience to create their own prompts<\/a> or run the following pre-built promptbooks<\/a> to automate incident response or investigation tasks related to this threat:<\/p>\n Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.<\/p>\n Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.<\/p>\n Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration<\/a> in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience<\/a> in the Microsoft Defender portal to get more information about this threat actor.<\/p>\n Microsoft Defender XDR customers can run the following query to find related activity in their networks:<\/p>\n Network connections to known C2 infrastructure related to this activity<\/strong><\/p>\n Look for network connections with known C2 infrastructure.<\/p>\n Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub<\/a> to have the analytics rule deployed in their Sentinel workspace.<\/p>\n Below are the queries using Sentinel Advanced Security Information Model (ASIM) functions<\/a> to hunt threats across both Microsoft first-party and third-party data sources. ASIM also supports deploying parsers to specific workspaces from GitHub<\/a>, using an ARM template or manually.<\/p>\n Hunt normalized Network Session events using the ASIM unifying parser _Im_NetworkSession<\/em> for IOCs:<\/p>\n Hunt normalized Web Session events using the ASIM unifying parser _Im_WebSession<\/em> for IOCs:<\/p>\n Hunt normalized File events using the ASIM unifying parser imFileEvent<\/em> for IOCs:<\/p>\n![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Fig4-fake-booking-com-page.webp\")
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Fig5-sample-command.webp\")
![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Fig6-attack-chain.webp\")
Attribution<\/h2>\n
Recommendations<\/h2>\n
\n
Detection details<\/h2>\n
Microsoft Defender Antivirus<\/h3>\n
Microsoft Defender for Endpoint<\/h3>\n
\n
Microsoft Defender for Office 365<\/h3>\n
\n
Microsoft Security Copilot<\/h2>\n
\n
Threat intelligence reports<\/h2>\n
Microsoft Defender Threat Intelligence<\/h3>\n
Hunting queries<\/h2>\n
Microsoft Defender XDR<\/h3>\n
\nlet c2Servers = dynamic(['92.255.57.155','147.45.44.131','176.113.115.170','31.177.110.99','185.7.214.54','176.113.115.225','87.121.221.124','185.149.146.164']);\nDeviceNetworkEvents\n| where RemoteIP has_any(c2Servers)\n| project Timestamp, DeviceId, DeviceName, LocalIP, RemoteIP, InitiatingProcessFileName, InitiatingProcessCommandLine\n<\/pre>\n<\/div>\n
Microsoft Sentinel<\/h3>\n
\nlet lookback = 30d;\nlet ioc_ip_addr = dynamic(['92.255.57.155','147.45.44.131','176.113.115.170','31.177.110.99','185.7.214.54','176.113.115.225','87.121.221.124','185.149.146.164']); _Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())\n| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)\n| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor <\/pre>\n<\/div>\n
\nlet lookback = 30d;\nlet ioc_ip_addr = dynamic(['92.255.57.155','147.45.44.131','176.113.115.170','31.177.110.99','185.7.214.54','176.113.115.225','87.121.221.124','185.149.146.164']); _Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())\n| where DstIpAddr has_any (ioc_ip_addr) | summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor\n<\/pre>\n<\/div>\n
\nlet ioc_sha_hashes =dynamic([\"01ec22c3394eb1661255d2cc646db70a66934c979c2c2d03df10127595dc76a6\",\" f87600e4df299d51337d0751bcf9f07966282be0a43bfa3fd237bf50471a981e \",\"0c96efbde64693bde72f18e1f87d2e2572a334e222584a1948df82e7dcfe241d\"]); imFileEvent | where SrcFileSHA256 in (ioc_sha_hashes) or TargetFileSHA256 in (ioc_sha_hashes) | extend AccountName = tostring(split(User, @'\\')[1]), AccountNTDomain = tostring(split(User, @'\\')[0]) | extend AlgorithmType = \"SHA256\"\n<\/pre>\n<\/div>\n
Indicators of compromise<\/h2>\n