Storm-1674

Storm-1674 is a Microsoft-tracked financially motivated threat actor and access broker. Microsoft uses the Storm designation for emerging or developing clusters, and the content explicitly describes Storm-1674 as financially motivated. Since early December 2023, Microsoft observed Storm-1674 using Microsoft Teams phishing as an initial access vector, including attacker-created tenants that created meetings and sent chat messages to targets via meeting chat to bypass the accept/block screen used in other chat contexts. These lures spoofed services such as OneDrive and SharePoint and led to fake landing pages and spoofed application installs. Microsoft assessed these installs likely dropped SectopRAT or DarkGate. The actor is described as misusing the Windows ms-appinstaller URI scheme and App Installer to distribute signed malicious MSIX packages. Microsoft states Storm-1674 used malicious installers and landing page frameworks provided by Storm-1113. The content also states Storm-1674 is known for using tools based on the publicly available TeamsPhisher tool to distribute DarkGate, and that its Teams phishing campaigns have used malicious attachments such as ZIP archives containing LNK files that dropped DarkGate and Pikabot. Separate reporting in the content states Storm-1674 used Teams to deploy TeamsPhisher and other red teaming tools and injected DarkGate and other malware via Teams. Microsoft reported handoffs from Storm-1674 to ransomware operators in September 2023 that led to Black Basta ransomware deployment. The content also states Storm-1674 has used Lumma Stealer in campaigns, alongside other financially motivated actors such as Octo Tempest, Storm-1607, and Storm-1113.