Better Security, Together

A growing trend in the cybercrime landscape is the rise of “FlowerStorm,” a Microsoft 365 phishing-as-a-service (PhaaS) platform that has gained popularity following the sudden collapse of Rockstar2FA in November 2024. Rockstar2FA previously facilitated large-scale adversary-in-the-middle (AiTM) phishing attacks, targeting Microsoft 365 credentials with advanced evasion techniques and user-friendly features. However, after a partial infrastructure failure rendered much of Rockstar2FA’s platform inaccessible, FlowerStorm quickly emerged as a prominent alternative, filling the gap in the PhaaS market.

Researchers highlight similarities between Rockstar2FA and FlowerStorm, including their use of phishing portals mimicking Microsoft login pages, shared backend infrastructure patterns, and synchronized activity trends. While the platforms may share a common operational ancestry, the rise of FlowerStorm underscores a sustained demand for sophisticated phishing kits that can bypass multi-factor authentication (MFA) and harvest credentials at scale.

Cross-domain attacks have become increasingly prevalent over the last year, challenging organizational security measures by targeting the intersections and weaknesses across multiple domains such as endpoints, identity systems, and cloud environments. These sophisticated strategies are employed by threat actors like eCrime groups, for instance, SCATTERED SPIDER, and state-affiliated actors like North Korea’s FAMOUS CHOLLIMA, who exploit security vulnerabilities to penetrate organizations, navigate laterally, and avoid detection.

The key aspect of these attacks is the misuse of legitimate credentials. Adversaries no longer forcibly breach systems; instead, they discreetly “log in” using stolen or compromised credentials. By doing so, they merge with regular traffic, using authorized tools and processes, which makes it tough for security measures to spot them as they cross domains and heighten their access levels.

The growing trend of cross-domain and identity-centric threats has revealed a significant flaw in organizations that only treat identity security as a checkbox for compliance rather than an integral part of their security framework. Many companies use disconnected security tools that address just pieces of the identity challenge, which leaves gaps in visibility and operational inefficiency. This fragmented approach can’t secure the identity landscape effectively. It also produces security tool gaps and causes a dangerous disconnection between security teams. For example, a divide between teams that manage IAM tools and those in charge of security operations leads to critical visibility gaps and exposes vulnerabilities in security architecture across on-premises and cloud environments. These are the vulnerabilities that adversaries exploit in their attacks.