{ "Event": { "analysis": "1", "date": "2026-04-20", "extends_uuid": "", "info": "[Threat Intel] FlowerStorm Phishing Kit Targeting Microsoft Credentials via Cloudflare-Backed Infrastructure", "protected": false, "publish_timestamp": "1776783226", "published": true, "threat_level_id": "3", "timestamp": "1776783226", "uuid": "fc7961f0-9fe4-4265-9ea1-f2bc8142e682", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Portal Capture - T1056.003\"", "relationship_type": "" }, { "colour": "#9db548", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domain Fronting - T1090.004\"", "relationship_type": "" }, { "colour": "#bce57a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Web Service - T1567\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776740418", "to_ids": false, "type": "text", "uuid": "404003e3-ece8-4256-8a26-63e34ca0350b", "value": "IOCs related to FlowerStorm phishing\u2011kit\u2013driven campaign that delivers fake Microsoft authentication pages via compromised domains fronted by Cloudflare. The activity abuses legitimate cloud and CDN services for delivery while credential harvesting occurs on attacker\u2011controlled infrastructure, with incidental contact to Microsoft services during normal browser behavior. that uses its own web servers to target victims' login credentials and access to their personal details and login details on its servers." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776740418", "to_ids": false, "type": "text", "uuid": "e2894869-2518-4c9d-b986-d5973e29dce1", "value": "Name: FlowerStorm Phishing Kit Targeting Microsoft Credentials via Cloudflare-Backed Infrastructure\nAuthor: AlienVault\nAdversary: \nTags: [\"flowerstorm\", \"iocs\", \"cloudflare\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1566\", \"T1056.003\", \"T1090.004\", \"T1567\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776775401", "to_ids": true, "type": "hostname", "uuid": "fafe186a-310a-4838-ba68-d0d67cc04e32", "value": "boysgirlsclubchester.continuousperformance.de", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776775422", "to_ids": true, "type": "hostname", "uuid": "b5cb7458-9ddc-4dbb-b576-b19e1754b084", "value": "chestersuplandsd.continuousperformance.de", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776775444", "to_ids": true, "type": "hostname", "uuid": "a75f0317-2231-4617-b3d3-b5180a5f861d", "value": "chesteruplandsd.continuousperformance.de", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776775465", "to_ids": true, "type": "hostname", "uuid": "c7461570-3cb3-414a-8163-fefbba7e0fba", "value": "delcofamilyvillage.continuousperformance.de", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776775486", "to_ids": true, "type": "hostname", "uuid": "c7602942-84ff-4a76-824c-98d14591942a", "value": "fleschlawfirm.continuousperformance.de", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776775507", "to_ids": true, "type": "hostname", "uuid": "4c902d18-09dd-480c-87c6-1a697252c127", "value": "jbsafetyintl.continuousperformance.de", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776775529", "to_ids": true, "type": "hostname", "uuid": "b73397d2-3bbe-499c-a893-1b03574a6c60", "value": "stevenscollege.continuousperformance.de", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776770931", "to_ids": false, "type": "link", "uuid": "88026dd5-2f81-47b3-ba59-00b0b65082dd", "value": "https://otx.alienvault.com/pulse/69e628228cf9938a05a3c669" } ] } }