Massive Phishing Attack by Storm-0900 Hackers Using Parking Ticket and Medical Test Themes

On November 26, Microsoft detected and disrupted a large-scale phishing campaign conducted by the threat actor known as Storm-0900.

The operation, launched on Thanksgiving Eve, attempted to deceive thousands of users in the United States through a wave of malicious emails themed around parking tickets and medical test results.

By incorporating holiday-related language and urgency cues, the attackers aimed to exploit users’ lowered vigilance ahead of the holiday weekend.

According to Microsoft’s threat intelligence team, the campaign involved tens of thousands of phishing emails.

The messages contained links or attachments impersonating legitimate organizations and law enforcement agencies.

The “parking ticket” lures typically claimed that a user had an outstanding fine and included links to view or pay the ticket.

The “medical test” variants urged recipients to check supposed lab results or schedule follow-up appointments.

Both tactics relied on social engineering to trigger curiosity or concern, leading victims to malicious websites designed to harvest credentials or distribute malware.

Microsoft attributed the attack to Storm-0900, a financially motivated threat group with a history of credential-theft campaigns and infrastructure overlap with previous phishing operations.

The attackers registered multiple domains mimicking common government and healthcare URLs, using SSL certificates and clean hosting providers to evade automated detection.

Many of these domains were active only for a short window, suggesting a strategy of rapid deployment and rotation to avoid blocklisting.

Defense and Mitigation Measures

Microsoft blocked the campaign using layered defenses that combined email filtering, endpoint protection, and intelligence-based infrastructure blocking.

Signals from Microsoft’s Defender suite helped identify the malicious domains early, while coordinated telemetry from Microsoft 365 and Azure Active Directory systems allowed preemptive takedown of attacker-controlled assets.

Indicators of compromise (IOCs) have been shared with security partners to prevent further exploitation.

The company urged organizations to remain cautious during holiday periods, noting that cybercriminals often increase phishing activity when security teams operate with limited staffing.

Microsoft also recommended enforcing multifactor authentication (MFA), educating users about suspicious attachments or urgent messages, and monitoring sign-in logs for unusual behavior across enterprise accounts.

This campaign demonstrates how social engineering themes aligned with current events, such as public health or administrative fines, continue to serve as practical phishing tools.

While Microsoft’s mitigation efforts successfully curtailed the Storm-0900 attack before widespread impact, the incident highlights the ongoing need for proactive threat intelligence and user awareness as primary defenses against evolving phishing tactics.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Massive Phishing Attack by Storm-0900 Hackers Using Parking Ticket and Medical Test Themes appeared first on Cyber Security News.