Urgent Alert – Storm-0539 and the Escalation of Holiday Gift Card Frauds

Urgent Alert storm-539

Bar Refael

December 17, 2023

Date: Dec 17, 2023

Microsoft has recently identified an alarming surge in malicious activities from a threat actor known as Storm-0539, primarily targeting retail sectors with sophisticated email and SMS phishing attacks. These attacks are focused on stealing gift card data during the holiday shopping season. OP Innovate customers, particularly those in retail, are advised to be highly vigilant and take immediate preventive measures.

Storm-0539 Incident Details

  • Threat Group: Storm-0539.
  • Modus Operandi: Phishing attacks via email and SMS, directing victims to adversary-in-the-middle (AiTM) phishing sites to harvest credentials and session tokens.
  • Primary Target: Retail entities and their customer databases.
  • Objective: Facilitating gift card fraud and theft.

Attack Strategy

  • Credential Harvesting: Utilizing AiTM phishing pages to capture user credentials and session tokens.
  • MFA Bypassing: Storm-0539 registers new devices for secondary authentication after initial access, circumventing multi-factor authentication.
  • Network and Cloud Exploitation: The attackers leverage this access to escalate privileges, infiltrate networks, and misuse cloud resources.
  • Specific Targeting: Focusing on services and databases related to gift cards.

Additional Threat Behaviors

  • Information Gathering: Storm-0539 is also involved in collecting sensitive emails, contact lists, and network configurations for future targeted attacks.
  • Sophisticated Reconnaissance: The group extensively researches targeted organizations to craft effective phishing lures.

Historical Context

  • Active Since: 2021.
  • Financially Motivated: The group’s activities are predominantly driven by financial gains.
  • Expertise in Cloud Exploitation: Notably adept at using compromised cloud services for post-compromise operations.

Relevant Security Developments

  • Microsoft’s Countermeasures: Recent disruption of a related Vietnamese cybercriminal group, Storm-1152, by Microsoft.
  • Exploitation of OAuth Applications: Warnings regarding the abuse of OAuth applications by various threat actors for financial crimes.

Recommendations for OP Innovate Customers

  • Heightened Alertness: Especially scrutinize communications pertaining to gift cards.
  • Credential Management: Implement stringent credential hygiene and robust MFA practices.
  • Employee Training: Regularly conduct security awareness training focusing on phishing detection.
  • Network Security Enhancements: Strengthen network monitoring to detect and respond to unusual activities or unauthorized access attempts.


Given the sophistication and specific targeting of retail sectors by Storm-0539, OP Innovate customers in these areas must immediately bolster their cyber defenses. The implementation of advanced security measures and continuous vigilance are crucial to safeguard against these heightened threats during the holiday season.

Stay safe and informed, 

Under Cyber Attack?

Fill out the form and we will contact you immediately.

Under Cyber Attack?

Fill out the form and we will contact you immediately.