Listen to this Post
Introduction:
Adversary-in-the-Middle (AitM) phishing kits have redefined credential theft by intercepting live session tokens, effectively bypassing multi‑factor authentication (MFA). The newly observed FlowerStorm campaign targets European organisations using fake SharePoint file share notifications and OneDrive‑encrypted PDF lures, redirecting victims to phishing pages that harvest Microsoft 365 credentials and session tokens. Post‑compromise, attackers silently create an inbox rule named “LinkedIn” to hide replies from the original phishing sender, evading victim awareness and leaving a subtle forensic artefact.
Learning Objectives:
- Identify technical indicators of FlowerStorm AitM phishing, including specific ASNs and the domain
trustabledomains[.]de. - Hunt for malicious inbox rules across Microsoft 365 environments using PowerShell and Graph API.
- Analyse obfuscated phishing payloads and Tencent Cloud infrastructure to block and respond to similar campaigns.
1. Decoding the AitM Phishing Flow & Infrastructure
FlowerStorm’s attack chain begins with a convincing email – either a SharePoint file share notification or a PDF claiming to be “encrypted with OneDrive Secure Cloud”. Clicking the link leads to an AitM proxy page that sits between the victim and the genuine Microsoft login page. The proxy captures both credentials and the session token after MFA, allowing the attacker to replay the session later.
Infrastructure indicators (ASNs observed in this campaign):
| ASN | Provider |
| | |
| AS9462651 | Strong Technology, LLC. |
| AS9462240 | Clouvider Limited |
| AS94174 | Cogent Communications, LLC |
| AS9437148 | Globacom |
| AS132203 | Tencent |
Domain IOC: `trustabledomains[.]de` (multiple subdomains used).
Step‑by‑step guide to extract ASN and hosting details from a suspicious domain (Linux):
1. Resolve domain to IP dig trustabledomains.de +short <ol> <li>Get ASN for an IP (using whois) whois -h whois.cymru.com " -v 192.0.2.1"</p></li> <li><p>Alternative: use bgp.he.net API curl -s "https://bgp.he.net/ip/192.0.2.1" | grep -i "ASN"</p></li> <li><p>Check certificate transparency logs for subdomains curl -s "https://crt.sh/?q=%.trustabledomains.de&output=json" | jq -r '.[].name_value' | sort -u
Windows (PowerShell) equivalent:
Resolve-DnsName trustabledomains.de Get ASN via built-in cmdlets (requires PSGallery module) Install-Module -Name PSWhois -Force Get-Whois -IP (Resolve-DnsName trustabledomains.de | Select-Object -First 1).IPAddress
- The “LinkedIn” Inbox Rule – A Persistent Forensic Goldmine
Across every compromised mailbox in this campaign, attackers create a single inbox rule named “LinkedIn”. The rule automatically moves or deletes replies from the original phishing sender, preventing the victim from seeing any “undeliverable” or “out of office” responses that might alert them to the compromise.
Step‑by‑step hunting for malicious inbox rules (Microsoft 365):
Using Exchange Online PowerShell:
Connect to Exchange Online Connect-ExchangeOnline -UserPrincipalName [email protected] List all inbox rules for a specific user Get-InboxRule -Mailbox [email protected] | Format-Table Name, Description, DeleteMessage, MoveToFolder, ConditionDescription Find rules named "LinkedIn" across all mailboxes Get-Mailbox -ResultSize Unlimited | Get-InboxRule | Where-Object { $_.Name -eq "LinkedIn" }
Using Microsoft Graph API (REST):
Get bearer token (using MSAL or device code flow) token="your_access_token" List rules for a user curl -X GET "https://graph.microsoft.com/v1.0/users/[email protected]/mailFolders/inbox/messageRules" \ -H "Authorization: Bearer $token" | jq '.value[] | select(.displayName=="LinkedIn")'
Detection logic – alert when:
- A new inbox rule named “LinkedIn” is created.
- Any rule that silently deletes or moves messages from external senders without user’s known pattern.
3. Obfuscated Source Code & Tencent Payload Hosting
Security researcher Bastian Wehe noted that the campaign uses obfuscation when developer tools are opened – a common anti‑analysis trick. The phishing payloads themselves are hosted on a Tencent bucket (AS132203). Obfuscation may include:
– Dynamic DOM manipulation that triggers only after a human‑like mouse movement.
– `console.clear()` or infinite debugger statements when DevTools is detected.
– JavaScript that overwrites native logging functions.
Step‑by‑step static analysis of an obfuscated phishing page (Linux):
1. Download the phishing HTML curl -k -L "https://attacker.tencentcloud.com/phish/index.html" -o phish.html <ol> <li>Deobfuscate using node.js and js-beautify npm install -g js-beautify js-beautify phish.html > deobfuscated.html</p></li> <li><p>Extract all external scripts and examine grep -oP 'src="\K[^"]+' deobfuscated.html | while read url; do echo "=== $url ===" curl -s "$url" | head -50 done</p></li> <li><p>Search for credential exfiltration endpoints grep -E 'fetch|XMLHttpRequest|.php|.asp|/api/' deobfuscated.html -A 2 -B 2
Windows alternative – use Fiddler or Burp Suite to proxy traffic while opening the page in a sandboxed browser.
4. Mitigation & Cloud Hardening Against AitM Attacks
Since AitM proxies defeat traditional MFA, organisations must adopt phishing‑resistant authentication and continuous access controls.
Hardening checklist:
- Enforce MFA using WebAuthn (FIDO2) – security keys or Windows Hello for Business.
- Disable legacy authentication protocols.
- Configure Conditional Access policies to block unknown locations/ASNs.
- Enable Continuous Access Evaluation (CAE) – session revocation within minutes after token theft.
- Monitor “impossible travel” and fresh token anomalies (e.g., token issued from IP in Europe, used from Asia within 1 second).
Step‑by‑step create a Conditional Access policy to block suspicious ASNs (Azure AD / Entra ID):
Connect to Microsoft Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"
Create a named location for the malicious ASNs
$asnList = @("9462651","9462240","94174","9437148","132203")
$asnConditions = @()
foreach ($asn in $asnList) {
$asnConditions += @{ asn = $asn }
}
$body = @{
displayName = "Block FlowerStorm ASNs"
isTrusted = $false
countries = @()
ipRanges = @()
includeUnknownCountriesAndRegions = $false
asnRanges = $asnConditions
} | ConvertTo-Json -Depth 3
$uri = "https://graph.microsoft.com/v1.0/identity/conditionalAccess/namedLocations"
Invoke-MgGraphRequest -Method POST -Uri $uri -Body $body -ContentType "application/json"
5. Blue Team Detection Rules & IR Playbook
Proactively hunt for the FlowerStorm campaign using SIEM queries and YARA rules.
Sigma rule for inbox rule creation (Windows Event Logs via Unified Audit Log):
title: Suspicious Inbox Rule Named "LinkedIn" status: experimental logsource: product: exchange_online service: unified_audit detection: selection: Operation: "New-InboxRule" Parameters|contains: "LinkedIn" condition: selection level: high tags: - attack.persistence - attack.t1137
KQL query for Microsoft Sentinel / Defender:
IdentityLogonEvents | where Timestamp > ago(7d) | where Application == "Office 365" | where LogonType == "token" | join kind=inner ( EmailEvents | where Subject has "SharePoint file share" or Subject has "OneDrive Secure Cloud" | project RecipientEmailAddress, SenderFromAddress, NetworkMessageId ) on $left.AccountUpn == $right.RecipientEmailAddress | project Timestamp, AccountUpn, IPAddress, ASN, ActionType
What Undercode Say:
- Inbox rules remain an under‑monitored post‑compromise artefact. The consistent use of “LinkedIn” as a rule name shows attackers banking on the name’s innocuous appearance – blue teams should routinely audit rule names across tenants.
- AitM phishing fundamentally changes credential theft. Traditional MFA + user training is insufficient. Organisations must prioritise phishing‑resistant authenticators and real‑time session revocation (CAE + token binding).
- ASN blocking is a viable short‑term throttle. While attackers can switch providers, sinkholing known malicious ASNs (especially small North American providers targeting Europe) reduces initial access windows by hours to days.
Prediction:
FlowerStorm is likely a precursor to more tailored BEC‑as‑a‑service offerings. Expect the same infrastructure to pivot from generic phishing to highly targeted CEO fraud once session tokens are harvested. Within six months, similar campaigns will incorporate AI‑generated voice or video lures to bypass anomaly detection, and inbox rule names will become randomised to evade signature‑based hunting. Cloud identity providers will respond by deprecating session token replayability by default – but legacy tenants will remain vulnerable. Organisations that delay adopting WebAuthn and CAE will suffer repeated compromises.
▶️ Related Video (74% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
