Trace Id is missing

Bold action against fraud: Disrupting Storm-1152

A colorful array of circles with various icons.

Overview

In March 2023, a major Microsoft customer experienced a series of spam cyberattacks causing outages in the customer’s system.

The cause? A barrage of fraudulently created Microsoft Outlook and Hotmail accounts seeking to reap the benefits of the customer’s services provided as test trials to prospective users, even though these fake accounts had no intention of ever paying for those services. As a result, the customer blocked all new account signups from Microsoft Outlook and Hotmail addresses.

What was in fact behind this attack was a bigger fraudulent enterprise based in Vietnam—a group Microsoft calls Storm-1152.

Storm-1152 ran illicit websites and social media pages, selling fraudulent Microsoft accounts and tools to bypass identity verification software across well-known technology platforms. Storm-1152’s services act as a gateway to cybercrime by reducing the time and effort needed for criminals to conduct a host of criminal and abusive behaviors online. In total, the group created for sale approximately 750 million fraudulent Microsoft accounts, earning the group millions of dollars in illicit revenue, and costing companies even more to combat their criminal activity.

Multiple groups, it turns out, were using Storm-1152 accounts to engage in ransomware, data theft and extortion, including​​ Octo Tempest, Storm-0252, Storm-0455, and others. Its account sales business made it one of the largest cybercrime-as-a-service providers online.

Microsoft had been tracking the rise of this malicious activity since 2022, increasing the use of machine learning algorithms to prevent and detect observed patterns for the creation of these fraudulent accounts. However, spring 2023 marked an inflection point due to the escalating abuse of Microsoft and partner platforms. More aggressive action was required and a cross functional team across Microsoft and with our partner Arkose Labs was formed.

Immediately following the action, we observed an approximate 60% decrease in sign-up traffic. This decrease closely matches the 60% or more of sign-ups that our algorithms or partners later identified as abusive and that we subsequently suspended from Microsoft services. 

The coordinated effort resulted in Microsoft’ Digital Crimes Unit (DCU) taking ​the first ​legal action in December 2023 to seize and shut down the websites Storm-1152 was using to sell its services. Immediately following the action, we observed an approximate 60% decrease in sign-up traffic. This decrease closely matches the 60% or more of sign-ups that our algorithms or partners later identified as abusive and that we subsequently suspended from Microsoft services.​ On July 23, we filed a second civil action to disrupt new infrastructure the group had attempted to set up following our December lawsuit.

This emerging threat report goes behind the scenes on how the action went down and highlights the importance of collaborating across industry to go after cyber threats. The case is an example of how industry can use legal channels to help deter other groups and keep individuals safe online.​ It also speaks to the importance of ongoing disruptions and how legal actions remain an effective method against cybercriminals, even when they change their tactics. At the end of the day, no operation is a one-and-done.

The discovery and identification of Storm-1152

In February 2023, Matthew Mesa, Senior Security Researcher in Microsoft’s Threat Intelligence Center (MSTIC), observed a growing pattern of Microsoft Outlook accounts being used in mass phishing campaigns. In his role, Mesa analyzes email campaigns, and looks for suspicious activity. As he continued to see a rise in the use of fraudulent accounts, he asked himself: “could all these accounts be related to one another?”

He immediately created a new threat actor profile, Storm-1152, and started to track its activity and flagged his findings to Microsoft’s Identity team. Shinesa Cambric, Principal Product Manager of Microsoft’s Anti-Abuse and Fraud Defense Team had also been tracking this malicious activity and had noticed an increase of automated accounts (bots) attempting to defeat the CAPTCHA challenges used to protect the sign-up process for Microsoft consumer services.​​

“My team focuses both on our consumer experience as well as our enterprise experience, which means we're protecting billions of accounts every day from fraud and abuse,” Cambric explains. “Our role is to understand the threat actor methodologies so we can circumvent attacks and prevent access into our systems. We’re always thinking about prevention—about how we can stop bad actors at the front door.”

What got her attention was the growing level of fraud related to the activity. When multiple parties—Microsoft partners as well as parts of our supply chain—reached out to report the harm resulting from these bot-created Microsoft accounts, Cambric went into action.

Together with cybersecurity defense and bot management provider Arkose Labs, Cambric’s team worked to identify and disable the group’s fraudulent accounts, and shared details of their work with threat intelligence colleagues in Microsoft’s MSTIC and the Arkose Cyber Threat Intelligence Research unit (ACTIR).

“Our role is to understand the threat actor methodologies so we can circumvent attacks and prevent access into our systems. We’re always thinking about prevention—about how we can stop bad actors at the front door.” 
Shinesa Cambric 
Principal Product Manager, Anti-Abuse and Fraud Defense Team, Microsoft 

“Initially, our role was to protect Microsoft from malicious account creation,” Arkose Labs Chief Customer Officer Patrice Boffa explains, “But once Storm-1152 was identified as a group, we also began collecting a lot of the threat intelligence.”

Understanding Storm-1152

As a financially motivated group in development, Storm-1152 stood out as being unusually well organized and professional with its cybercrime-as-a-service (CaaS) offerings. Operating like a legitimate company, Storm-1152 ran its illicit CAPTCHA solve service in broad daylight.

“If you were not aware that this was a malicious organization, you could compare it with any other SaaS company,” 
Patrice Boffa
Chief Customer Officer, Arkose Labs

“If you were not aware that this was a malicious organization, you could compare it with any other SaaS company,” Boffa says, adding that Storm-1152’s AnyCAPTCHA.com had a public-facing website, accepted cryptocurrency payments through PayPal, and even offered a support channel.

This service used bots to harvest CAPTCHA tokens in bulk, which were sold to customers, who then used the tokens for improper purposes (such as the bulk creation of fraudulent Microsoft accounts for later use in cyberattacks) before they expired. The attempts to set up fraudulent accounts was happening with such quickness and efficiency the Arkose Labs team concluded the group was using automated machine-learning technology. 

“When we experienced the pace of their adaptation to our mitigation efforts, we realized a lot of their attacks were AI based,” Boffa said. “Compared to other adversaries that we’ve seen, Storm-1152 utilized AI in innovative ways.” Arkose Labs and Microsoft teams were able to observe a change in business tactics as a way of adapting to increased detection and prevention efforts.

Initially, Storm-1152 focused on providing services for criminals to bypass security defenses for other technology companies, with ​​Microsoft​ being the largest victim. Storm-1152 offered services to ​​bypass​​​ defenses to create fraudulent accounts, and then it offered a new service after it sensed detection. Instead of providing tools to bypass account creation defenses, the group pivoted by using its own bot-harvested CAPTCHA-defeating tokens to create fraudulent Microsoft accounts for resale.

“What we observed with Storm-1152 is typical,” Boffa says. Every time you catch a threat actor, they try something else. Staying ahead of them is a game of cat and mouse.”

Building a legal case against Storm-1152

When the fraudulent activity reached a boiling point in March 2023, Cambric and Mesa engaged Microsoft’s Digital Crimes Unit (DCU) to see what more could be done.

As Microsoft’s external enforcement arm, DCU typically pursues only the most serious or persistent actors. It focuses on disruption—raising the cost of doing business—for which criminal referrals and/or civil lawsuits are primary tools.

Sean Farrell, Lead Counsel for the Cybercrime Enforcement team in Microsoft’s DCU, Jason Lyons, Principal Manager of Investigations in the DCU Cybercrime Enforcement Team at Microsoft and Senior Cyber Investigator Maurice Mason got together to investigate further. They coordinated with Microsoft’s outside counsel to design a legal strategy and pulled together the evidence required to file a civil action, drawing insights from multiple teams across Microsoft and the threat intelligence Arkose Labs was collecting.

“A lot of work had already been done by the time the DCU got involved,” Lyons recalls. “The Identity team and Arkose Labs had already done significant work in identifying and disabling accounts, and because MSTIC was able to link the fraudulent accounts to certain levels of infrastructure, we thought this would be a good DCU legal case.”

Some of the factors that contribute to the formation of a case worth pursuing include having laws that can be used in a civil action, having jurisdiction, and the willingness of the company to publicly name individuals.

Lyons likened the consideration of these factors to a triage process, where DCU examined the facts and information to help it determine whether everything made a good case. “Based on what we do, we ask whether we want to spend our time and energy to take action,” he says. “Will the impact be worth the resources we have to put in there?” The answer in this case was yes.

Mason was tasked with working on the attribution of Storm-1152’s cybercrime-as-a-service activities. “My role was to track how Storm-1152 sold these fraudulent accounts to other threat actor groups and identify the individuals behind Storm-1152,” Mason explains.

Through their investigative work, which included a deep review of social media pages and payment identifiers, Microsoft and Arkose Labs were able to identify the individuals behind Storm-1152 —Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh), and Tai Van Nguyen.

Their findings show these individuals operated and wrote the code for the illicit websites, published detailed step-by-step instructions on how to use their products via video tutorials, and provided chat services to assist those using their fraudulent services. Additional connections were then made to the group’s technical infrastructure, which the team was able to pinpoint to US-based hosts.

“One of the reasons we pursue these actions in DCU is to deter the impact of these cybercriminals. We do this by filing lawsuits or from providing criminal referrals that lead to arrests and prosecutions.”
Sean Farrell 
Lead Counsel, Cybercrime Enforcement Team; Microsoft

Describing the decision to move forward with the case, Farrell says, “Here we were fortunate because of the great work of the teams, which had identified the actors who had set up the infrastructure and the criminal services.

One of the reasons we pursue these actions in DCU is to deter the impact of these cybercriminals. We do this by filing lawsuits or from providing criminal referrals that lead to arrests and prosecutions. I think it sends a very strong message when you're able to identify the actors and publicly identify them in legal pleadings in the United States.”​​​

Storm-1152 re-emerges and a second legal action​​

While the team saw an immediate drop in infrastructure following the December 2023 disruption, Storm-1152 re-emerged launching a new site called RockCAPTCHA and new how-to videos to help their customers. RockCAPTCHA targeted Microsoft by offering services specifically designed to try to defeat the CAPTCHA security measures of Arkose Labs. July’s action enabled Microsoft to take control of this website and send another blow to the actors.

The Arkose Cyber Threat Intelligence Research unit (ACTIR) also took a closer look at how Storm-1152 was attempting to rebuild their services. They observed the group using more sophisticated tactics, including intensifying their leverage of artificial intelligence (AI), to obfuscate their activity and evade detection. This resurgence is indicative of the shifts occurring in the threat landscape and demonstrates the advanced capabilities of attackers well-versed in AI technologies. 

One of the primary areas where Storm-1152 has integrated AI is in evasion techniques. Arkose Labs has seen the group use AI to synthetically generate human-like signatures.

Vikas Shetty is the head of product for Arkose Labs and leads its threat research unit, ACTIR. “The use of AI models allows attackers to train systems that emit these human-like signatures, which can then be used at scale for attacks,” said Shetty. “The complexity and variety of these signatures make it difficult for traditional detection methods to keep up.”

Moreover, Arkose Labs observed Storm-1152 attempting to recruit and employ AI engineers, including master’s students, PhD candidates, and even professors in countries like Vietnam and China.

“These individuals are paid to develop advanced AI models that can bypass sophisticated security measures. The expertise of these AI engineers ensures that the models are not only effective but also adaptable to evolving security protocols,” said Shetty.

Remaining persistent is key to meaningfully disrupting cybercriminal operations, as is keeping track of how cybercriminals are operating and using new technologies.

“We must continue to be persistent and take actions that make it harder for criminals to make money,” said Farrell. “This is why we filed a second suit to take control of this new domain. We need to send a message that we will not tolerate activity that seeks to harm our customers and individuals online.”

Lessons learned and future implications

Reflecting on the outcome of the Storm-1152 investigation and disruption, Farrell notes that the case is important not just because of its impact to us and the other companies affected, but because of Microsoft’s effort to scale the impact of these operations, which are a part of the overall cybercrime-as-a-service ecosystem.

A strong message to the public

“Showing that we could apply the legal levers we've used so effectively to malware attacks and nation-state operations has led to a significant mitigation or remediation of the actor’s activity, which has plummeted to almost zero for quite some time after we filed the lawsuit,” Farrell says. “I think from this we saw that you can have real deterrence, and the message the public gleans from that is important—not just for the impact, but for the greater good of the online community.”

New access vectors in identity

Another important observation has been a general shift from threat actors trying to compromise endpoints but rather going after identities.  We see with most ransomware attacks that threat actors are leveraging stolen or compromised Identities as their initial attack vector.
“This trend is showing how identity is going to take over as the initial access vector for upcoming incidents,” says Mason. “CISOs may want to take a more serious stance on identity when modeling for their organizations—focus more on the identity side first, then move to endpoints.”

Ongoing innovation is essential

The reemergence of Storm-1152 and its AI-infused strategies underscores the evolving nature of cyber threats. Their sophisticated use of AI for both evasion and challenge-solving poses significant challenges for traditional security measures. Organizations must adapt by incorporating advanced AI-driven detection and mitigation techniques to stay ahead of these threats.
“The case of Storm-1152 highlights the critical need for ongoing innovation in cybersecurity to counteract the sophisticated tactics employed by AI-savvy attackers,” says Shetty. “As these groups continue to evolve, so too must the defenses designed to protect against them.”

We know we’ll continue to face new security challenges in the days ahead, but we are optimistic about what we have learned from this action. As a member of the community of defenders, we know that we work better together in the service of the common good, and that continued public and private sector collaboration remain essential in the face of cybercrime.

Farrell says, “The cross-team collaboration of this action— combining the efforts of threat intelligence, identity protection, investigation, attribution, legal action, and external partnerships—is a model of how we should be operating.”

Related articles

Disrupting the gateway services to cybercrime

Microsoft, with threat intelligence support from Arkose Labs, is taking technical and legal action to disrupt the number one seller and creator of fraudulent Microsoft accounts, a group we call Storm-1152. We are watching, taking notice, and will act to protect our customers.

Microsoft, Amazon, and international law enforcement unite to fight tech support fraud

See how Microsoft and Amazon joined forces for the first time ever to take down illegal tech support call centers across India.

Inside the fight against hackers who disrupted hospitals and jeopardized lives

Go behind the scenes in a joint operation between Microsoft, software maker Fortra, and Health-ISAC to disrupt cracked Cobalt Strike servers and make it harder for cybercriminals to operate.

Follow Microsoft Security