From de04fe33e16673b5520b697baec0b3ba30993482 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Thu, 1 Feb 2024 11:02:04 -0800
Subject: [PATCH] [threat-actors] Add Storm-1286

---
 clusters/threat-actor.json | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 5224629..4980aed 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -14574,6 +14574,16 @@
       },
       "uuid": "b05a2a56-08dc-4827-9aef-aaade91016a4",
       "value": "Storm-1099"
+    },
+    {
+      "description": "Storm-1286 is a threat actor that engages in large-scale spamming activities, primarily targeting user accounts without multifactor authentication enabled. They employ password spraying attacks to compromise these accounts and utilize legacy authentication protocols like IMAP and SMTP. In the past, they have attempted to compromise admin accounts and create new LOB applications with high administrative permissions to spread spam. Despite previous actions taken by Microsoft Threat Intelligence, Storm-1286 continues to explore new methods to establish a high-scale spamming platform within victim organizations using non-privileged users.",
+      "meta": {
+        "refs": [
+          "https://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/"
+        ]
+      },
+      "uuid": "375988ab-91b9-419e-8646-a4783b931288",
+      "value": "Storm-1286"
     }
   ],
   "version": 298