Tycoon and Storm-1575 Linked to Phishing Attacks on US Schools


Public schools across the United States are facing a surge in sophisticated phishing campaigns, according to a new report by PIXM, a cybersecurity firm specializing in artificial intelligence solutions. Threat actors launch targeted spear phishing attacks using stealthy attack patterns to target officials at large US school districts, bypassing MFA protections. Since December 2023, a surge in MFA-based phishing campaigns targeting US teachers, staff, and administrators has been observed, using dadsec and Phishing-as-a-Service (PhaaS) platforms to compromise administrator email accounts and deliver ransomware, researchers noted. PIXM discovered phishing activity in November 2023 and linked it to Tycoon and Storm-1575 threat groups. These groups were singled out because of their common attack pattern. Both actors use social engineering techniques, spoofing emails to appear legitimate and using AiTM (Adversary-in-the-Middle) phishing to bypass MFA tokens and session cookies. For your information, The Tycoon Group’s PaaS, available on Telegram for just $120, boasts key features like bypassing Microsoft’s two-factor authentication. On the other hand, Microsoft identifies Storm-1575 as a threat actor engaging in phishing campaigns through the Dadsec platform. They employ numerous Domain Generated Algorithm domains to host credential harvesting pages, targeting global organizations to extract Microsoft 365 credentials. While schools are the most targeted industry by ransomware gangs, student data has also been a prominent prey of cybercrime, but the extensiveness of data loss noticed recently is unprecedented. It is estimated that over 900 schools were targeted in MOVEit-linked cyber attacks.

Security Officer Comments:

These APT groups are known for conducting phishing campaigns across a variety of critical infrastructure sectors, targeting executive administrators and staff of large US school districts in this instance. For initial access, they use a phishing email that sends unsuspecting users a link to update their Microsoft 365 password via email. These threat actors are bypassing MFA using credentials harvested from spoofed Microsoft account login pages and then forwarding them to legitimate login pages. They then direct their victim to a spoofed MFA code page and the attacker captures these codes and sends them to an actual Microsoft server. Note that they use a fake Cloudflare captcha during credential access to further convince the victim of legitimacy and postpone the phishing payload delivery to evade security content analysis. By proxying stolen MFA codes to a legitimate Microsoft server using AiTM attacks, this campaign provides evidence that MFA is not the ultimate solution to securing an account because of TTPs like Web Portal Capture.

Suggested Corrections:
PIXM recommends:

  • While email security, multifactor authentication, and awareness training have been traditional table stakes to protect organizations from phishing attacks, the modern attack environment leaves organizations vulnerable without additional protections.
  • Identify high-priority staff who have sensitive access or have regular communication patterns across the organization (eg. payroll, invoicing, or HR). Invest in extra and, if needed, tailored awareness efforts for this group. This can pay huge dividends even in the context of sophisticated attacks so that sensitive accounts are not compromised.
  • Arm users with caution against links and websites even if they prompt them for MFA tokens and CAPTCHAs.
  • Implement additional proactive AI-driven protections at the browser layer and email layer to protect users from stealthy phishing tactics like AiTM.

PIXM Blog Post