diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 5224629..4980aed 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -14574,6 +14574,16 @@
       },
       "uuid": "b05a2a56-08dc-4827-9aef-aaade91016a4",
       "value": "Storm-1099"
+    },
+    {
+      "description": "Storm-1286 is a threat actor that engages in large-scale spamming activities, primarily targeting user accounts without multifactor authentication enabled. They employ password spraying attacks to compromise these accounts and utilize legacy authentication protocols like IMAP and SMTP. In the past, they have attempted to compromise admin accounts and create new LOB applications with high administrative permissions to spread spam. Despite previous actions taken by Microsoft Threat Intelligence, Storm-1286 continues to explore new methods to establish a high-scale spamming platform within victim organizations using non-privileged users.",
+      "meta": {
+        "refs": [
+          "https://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/"
+        ]
+      },
+      "uuid": "375988ab-91b9-419e-8646-a4783b931288",
+      "value": "Storm-1286"
     }
   ],
   "version": 298