CodeStorm Phishing Kit Slips Past MFA to Hijack Microsoft 365 Accounts

What Happened

The attack starts with an email dressed up as a normal Microsoft voicemail alert. It carries a reference ID, a call length, and a button to open the voicemail. That part is bait. The clever bit sits out of sight. Below a big block of empty space, the attackers paste a fake email thread, complete with reply headers, signatures, and chatty scheduling text. 

ZeroBEC calls this conversation stuffing. A real person never scrolls down far enough to see it, but automated email gateways read the whole message. The fake thread tricks those filters into reading the email as a harmless reply rather than a phishing attempt.

Click the button, and your details get carried to a rotating web host through hash encoded URL pieces that most scanners cannot read. The landing page throws up a Cloudflare Turnstile challenge and blocks keyboard shortcuts and developer tools. 

If an analyst opens DevTools to inspect it, a timing trap fires and bounces them to a real Microsoft page to throw them off. Behind the rotating front, one part stays fixed: a backend running under a path called /google.php. This controller carries a full MFA bypass library that handles Authenticator pushes, one time codes, SMS, and voice calls. It also runs a tenant aware check. 

When it fires a do=check command, it queries live Microsoft identity systems to learn what kind of account it is dealing with, a managed Microsoft 365 user, a federated tenant, a GoDaddy account, or one that does not exist, then serves a matching fake login page. Type your password and the kit runs a do=login command, feeding your credentials straight to Microsoft in real time.

The Impact

This is credential theft that defeats the safeguards companies lean on. Standard email filters miss it because the stuffing makes the message look benign. MFA does not stop it because the kit relays the login as it happens, so the attacker rides in on the victim’s own approved session. ZeroBEC proved the live replay by feeding the kit fake credentials during a test. 

Within seconds, the target tenant’s Entra sign in logs showed a failed OfficeHome login with error code 50126, and the recorded IP addresses traced back to the kit’s own backend. That is hard evidence the kit checks passwords on the fly instead of stashing them for later. For any company running Microsoft 365, that means a single click can open the door even with MFA switched on.

How to Avoid This

• Treat voicemail and notification emails with suspicion, especially ones pushing you to a login page. 
• Move toward phishing resistant MFA like passkeys or FIDO2 hardware keys, since real time replay struggles against them. 

• Watch your Entra sign in logs for odd patterns, such as failed OfficeHome logins tied to unfamiliar IP addresses or error code 50126. 
• Train staff to open Microsoft 365 from a bookmark or the app, never from an email link. 
• Review your email gateway rules so a buried fake thread cannot lower an email’s risk score.