"We are sending a strong message to those who seek to create, sell, or distribute fraudulent Microsoft products for cybercrime: We are watching, taking notice, and will act to protect our customers." Microsoft takes down cybercrime group Storm-1152

AI generated visualization of Microsoft fighting cybercriminals
(Image credit: Generated by Bing | Microsoft)

What you need to know

  • With help from Arkose Labs and a court order, Microsoft seized the domains and U.S.-based infrastructure of the largest seller and creator of fraudulent Microsoft accounts.
  • Storm-1152 is estimated to have sold 750 million Microsoft accounts to cybercriminals and ransomware groups.
  • This is a big step in the right direction for companies like Microsoft to begin protecting themselves from these malicious groups that prey on both Microsoft and its customers.

A report from Microsoft explains that Storm-1152 is a cybercrime-as-a-service group that creates fake Outlook accounts and keeps them "alive" and active so that they don't look like fraudulent accounts to Microsoft. Then, when a ransomware group needs some accounts to perform phishing attacks or other cyber attacks, they can purchase these accounts, and they aren't flagged by Microsoft's detection systems as easily since they appear to be regular user accounts. 

Microsoft Threat Intelligence has identified multiple groups engaged in ransomware, data theft, and extortion that have used Storm-1152 accounts. For example, Octo Tempest, also known as Scattered Spider, obtained fraudulent Microsoft accounts from Storm-1152


What can be done to fight cybercrime?

Cybercrime is predicted to cost the world $8 trillion in 2023, according to Cybersecurity Ventures. One of the main reasons cybercrime is so lucrative is because a company has very little recourse to defend itself from these attacks. Ask any cybersecurity professional and they will say that it is impossible to be 100% protected from an attack. The best you can hope for is redundancy and rapid recovery time with backups and other plans in place in the case of an attack. 

For an attacker, there is minimal deterrent from perpetrating these attacks. Companies are forbidden by law from "hacking back." even though there was a push by Congress back in 2019 to allow companies to do just that, there has yet to be any forward motion with that bill. The H.R.3270 - Active Cyber Defense Certainty Act would "limit the prosecution of computer fraud and abuse offenses where the conduct constituting an offense involves a response to, or defense against, a cyber intrusion." 

In my opinion, companies need the ability to hack back, meaning they can attack these criminals back and cause damage to the criminals' systems or place programs on the attackers' computers to gather information to give to the authorities. Right now, the law states that a company can build a wall to lock the door and windows, but if an attacker gets into your house, you must quietly ask them to leave. 

Microsoft seems to be tired of this approach though. They are calling the actions this week in taking down Storm-1152 a "disruption strategy." Hopefully, that means similar actions will be taken against other cybercriminal groups in the future. 

On Thursday, December 7, Microsoft obtained a court order from the Southern District of New York to seize U.S.-based infrastructure and take offline websites used by Storm-1152 to harm Microsoft customers. While our case focuses on fraudulent Microsoft accounts, the websites impacted also sold services to bypass security measures on other well-known technology platforms. Today’s action therefore has a broader impact, benefiting users beyond Microsoft.


Will Microsoft taking down Storm-1152 matter?

Like most things, the cybercriminal world is a vacuum, and there will likely be a new group of people, or the same people behind Storm-1152 will form a new company with new domains and infrastructure and continue to perform their illicit services. However, the only way to deter these individuals from harming our companies and economies is to continue to go after them and make the costs of doing crime higher than the rewards they have been getting. 

I believe there is a sense of complacency about cybercrime from governments worldwide. It seems accepted as a matter of life and is impossible to resolve, but that can't be the case. There are indeed government-sponsored nation-state actors who have the backing and funding of governments like Russia, Iran, North Korea, and China. Those groups would be difficult or nearly impossible to successfully disrupt without causing an international incident. But many of these ransomware groups are just criminals looking to make money by stealing from others. Those groups should be tracked and stopped, as they are solely responsible for billions of dollars in global economic harm. 

Are you looking to get into cybersecurity? Check out our How to Get Started in Cybersecurity guide

What do you think about Microsoft's actions to protect themselves from cybercriminals? Do you think more companies should proactively solve these cybercrime issues for themselves? Let us know in the comments. 

Colton Stradling

Colton is a seasoned cybersecurity professional that wants to share his love of technology with the Windows Central audience. When he isn’t assisting in defending companies from the newest zero-days or sharing his thoughts through his articles, he loves to spend time with his family and play video games on PC and Xbox. Colton focuses on buying guides, PCs, and devices and is always happy to have a conversation about emerging tech and gaming news.