From de04fe33e16673b5520b697baec0b3ba30993482 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:04 -0800 Subject: [PATCH] [threat-actors] Add Storm-1286 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5224629..4980aed 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14574,6 +14574,16 @@ }, "uuid": "b05a2a56-08dc-4827-9aef-aaade91016a4", "value": "Storm-1099" + }, + { + "description": "Storm-1286 is a threat actor that engages in large-scale spamming activities, primarily targeting user accounts without multifactor authentication enabled. They employ password spraying attacks to compromise these accounts and utilize legacy authentication protocols like IMAP and SMTP. In the past, they have attempted to compromise admin accounts and create new LOB applications with high administrative permissions to spread spam. Despite previous actions taken by Microsoft Threat Intelligence, Storm-1286 continues to explore new methods to establish a high-scale spamming platform within victim organizations using non-privileged users.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/" + ] + }, + "uuid": "375988ab-91b9-419e-8646-a4783b931288", + "value": "Storm-1286" } ], "version": 298