SOC Incident Toolkit
Back to Campaigns
FlowerStorm PhaaS now uses KrakVM for VM-based JavaScript obfuscation in AiTM credential theft.

FlowerStorm PhaaS now uses KrakVM for VM-based JavaScript obfuscation in AiTM credential theft.

FlowerStormKrakVMPhaaSPhishing-as-a-ServiceAdversary-in-the-MiddleAiTM

In April 2026, the FlowerStorm PhaaS platform was detected utilizing the KrakVM JavaScript obfuscation tool to conduct credential theft. This AiTM (Adversary-in-the-Middle) phishing campaign uses malicious HTML attachments to steal Microsoft 365, Hotmail, and GoDaddy credentials, MFA responses, and session cookies in real time. This marks the first documented instance of KrakVM being deployed for malicious purposes.

Indicators of Compromise

Domains (86)

jeny.ggsuitauth.site5624221719.cfdzpma.uscourtdocuments.comzrqdi.dynamicgrowthsystems.de2008377162.cfdasphalt9nitroo.my.idempire.appdocstorage.com6185945827.sbsy.k5l1m.cfdnnqsy.secureenvirotrust.dedon.feiracultural.depkxza.ruminatingbrook.derexjf.digitaltrustbase.de6438259665.cfd7766360391.cfd04qq.digitalcompetitiveedge.devalid.seashellshoetreasures.de5832068083.cyoubrenda.5hawb1t.sitechina.bureauofcourts.com+66 more

Hashes (1)

b0ed4da928344ac2972a05ded086e4da

Notes

<span id="docs-internal-guid-a559712c-7fff-f854-310b-fc366f4fc5d7"><div style="line-height:1.2;margin-top:0pt;margin-bottom:6pt;"><span style="font-size: 13pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">CONCLUSION <br></span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">The April 2026 FlowerStorm + KrakVM campaign matters for two reasons. First, it is the earliest known use of a public JavaScript virtual machine — KrakVM, which had only been on GitHub for about one month — as a wrapper around a known commodity phishing kit. The KrakVM layer takes the FlowerStorm credential stealer (a ~1.09 MB bootstrap.min.js) and turns it into encrypted bytecode that runs inside an in-browser VM, which beats any email gateway or static tool that inspects HTML attachments without running them. Because KrakVM was used with default settings, the plain markers __krak_throw, runVM, and the bytecode variable still sit in the obfuscated file, giving defenders a workable detection target. Second, the FlowerStorm kit itself — the direct heir to Rockstar2FA, active since mid-2024 — is still an aggressive AiTM platform that relays victim sessions in real time to Microsoft 365, Hotmail, and GoDaddy through its standard next.php backend, supports JWT session tracking and live MFA relay, and uses Cloudflare Turnstile CAPTCHA to filter out scanners. The 87 IoCs in the OTX pulse show several useful patterns: 30 numeric DGA-style domains on .cfd / .cyou / .sbs / .my.id; 26 German-language brand-mimic .de hostnames built from English business words; 9 hostnames pretending to be US, Chinese, or Peruvian court systems; 4 k5l1m.cfd subdomains under what looks like one operator; 4 identity-spoofing hostnames using ggsuitauth / authgsyuuite / v0k3.space strings; and 3 IPFS / Web3.Storage payload-hosting hostnames. SOC priorities, in order: block .html and .htm attachments from outside senders by default; add email gateway content rules for the KrakVM markers (__krak_throw, runVM, bytecode arrays) and FlowerStorm's /next.php call pattern; require phishing-resistant MFA and Conditional Access / token protection / Continuous Access Evaluation on Microsoft Entra; push all 87 indicators into SEG, SWG, and recursive DNS controls; and run regular DNS retro-hunts for the German brand-mimic and numeric DGA patterns common to FlowerStorm operators.</span></div><div><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><br></span></div></span>

Mitigation

<span id="docs-internal-guid-7028db2f-7fff-167d-36ed-f31df1471a2f"><div style="line-height:1.2;margin-top:14pt;margin-bottom:6pt;"><span style="font-size: 15pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">MITIGATION</span></div><p style="line-height:1.2;margin-top:0pt;margin-bottom:6pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">REF: </span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/">https://attack.mitre.org/</a></span></p><div style="margin-left:-18pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col><col><col></colgroup><tbody><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;background-color:#ddeaf6;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Technique ID</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;background-color:#ddeaf6;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Technique Name</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;background-color:#ddeaf6;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Tactic</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;background-color:#ddeaf6;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Mitigation ID</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;background-color:#ddeaf6;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Description</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1566.001</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Phishing: Spearphishing Attachment</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Initial Access</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1031</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Network Intrusion Prevention — At the email gateway, quarantine inbound messages from external senders carrying .html or .htm attachments by default. The entire delivery vehicle of this campaign is an HTML attachment, so blocking this attachment class disrupts the kill chain at step one.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1566.001</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Phishing: Spearphishing Attachment</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Initial Access</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1049</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Antivirus / Antimalware — Detonate HTML attachments in a sandbox and block messages whose attachments contain heavily obfuscated JavaScript, virtual-machine bytecode arrays, or the KrakVM default-configuration signature strings (__krak_throw, runVM, bytecode).</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1566.001</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Phishing: Spearphishing Attachment</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Initial Access</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1017</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">User Training — Train users to treat unsolicited voicemail, vendor-credit and unpaid-invoice HTML attachments as suspicious; emphasise that legitimate voicemail and invoicing systems do not require opening an HTML file from an email body.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1078</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Valid Accounts</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Initial Access / Persistence</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1032</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Multi-Factor Authentication — Require phishing-resistant MFA (FIDO2, hardware security keys, Windows Hello for Business, or certificate-based authentication) on all Microsoft 365, Hotmail and GoDaddy accounts. FlowerStorm's AiTM proxy relays push, SMS and TOTP codes in real time, but cannot relay a FIDO2 challenge bound to the legitimate origin.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1539</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Steal Web Session Cookie</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Credential Access</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1041</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Encrypt Sensitive Information — Enforce token protection and Continuous Access Evaluation on Microsoft Entra so that stolen session cookies are invalidated when the source IP, device posture or risk score changes. AiTM session-cookie theft is FlowerStorm's terminal outcome; token protection and CAE neutralise the stolen cookie.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1556.006</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Modify Authentication Process: MFA</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Defense Evasion / Credential Access</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1041</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Encrypt Sensitive Information — Configure Conditional Access policies that require reauthentication when users access Microsoft 365 from new locations or devices, even with valid MFA tokens, to disrupt session-hijacking that follows a successful MFA relay.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1102</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Web Service</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Command and Control</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1031</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Network Intrusion Prevention — Block egress to attacker-controlled subdomains on cloud object-storage providers (Singapore, Bangkok, Frankfurt, Tokyo, Seoul, Jakarta and Ashburn regions); ingest the 87 indicators enumerated in the IoCs section below into secure web gateway and recursive DNS controls.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1027</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Obfuscated Files or Information</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Defense Evasion</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1049</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Antivirus / Antimalware — Deploy email-gateway detections that flag inbound HTML attachments containing virtual-machine bytecode arrays or large Base64-encoded blobs combined with eval / Function() / runVM invocations.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1583.001 / T1583.006</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Acquire Infrastructure: Domains / Web Services</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Resource Development</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1056</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Pre-compromise — Subscribe to Sublime STIR, Sophos, ANY.RUN and WhoisXML FlowerStorm feeds; sinkhole or pre-emptively block domains matching the campaign's documented naming conventions (German-language brand-mimic .de domains; numeric .cfd / .cyou / .sbs / .my.id domains; US / Chinese court-system theming; ggsuitauth / authgsyuuite identity-impersonation strings).</span></p></td></tr></tbody></table></div></span>