Microsoft Warns of New Wave of Social Engineering Campaigns by Storm Actors Targeting Europe & the Middle East
Microsoft Threat Intelligence has issued a new warning about an active wave of social engineering campaigns conducted by multiple state-aligned groups known collectively as Storm actors.
These campaigns use impersonation, credential harvesting and trust-based manipulation to gain access to high-value corporate and institutional environments.
According to Microsoft, the campaigns currently target:
-
organizations across Europe and the Middle East, including EU member states
-
sectors such as telecommunications, energy, logistics, public services and finance
-
third-party providers and MSP/MSSP partners with privileged access to client systems
How Storm Actors Operate
Microsoft highlights several tactics observed across recent attacks:
✔ Impersonation of trusted partners
Emails mimicking government agencies, ministries, service providers or international organizations.
✔ Highly personalized spear-phishing
Messages referencing real names, roles, projects or internal processes to increase credibility.
✔ Malicious or replaced documents delivered via cloud services
Including OneDrive, SharePoint and other legitimate channels.
✔ Use of compromised business accounts
Storm actors leverage credentials from previous breaches to appear legitimate.
✔ Post-compromise objectives
Credential theft, lateral movement, persistence and exfiltration of sensitive information.
According to Microsoft, this activity fits a long-term strategy by state-aligned groups to infiltrate corporate environments, extract intelligence and influence operational decisions.
DIAMATIX Perspective
State-aligned social engineering attacks cannot be stopped by perimeter controls alone. They require continuous visibility, contextual telemetry and behavior-based detection across identities, devices and cloud applications.
DIAMATIX supports clients with:
🔹 MDR 360° + 24/7 SOC
Detection of suspicious logins, anomalous cloud interactions, privilege escalation and lateral movement.
🔹 Shield SIEM/XDR
Correlation of email events, identity logs, endpoint telemetry and network indicators to surface early warning signs.
🔹 Threat Hunting
Targeted hunts for TTPs associated with Storm actors:
-
impersonation
-
cloud-based exfiltration
-
stealthy command channels
-
credential theft and manipulation
🔹 Zero-Trust Identity Policies
Limiting blast radius when accounts are compromised.
🔹 Third-Party Risk Evaluation
Storm actors frequently compromise suppliers to reach the primary target.
“When attackers rely on trust — not malware — the decisive advantage comes from visibility, context and real-time response.”
Sources
-
Microsoft Threat Intelligence – Social Engineering Campaign Reports
-
Microsoft Security Intelligence – Storm Actor Behavioral Analysis
-
Recorded Future – State-Aligned Campaigns Targeting Europe and MENA
Ready to go further?
Experience how continuous detection and response enhance compliance in action with MDR 360°.
→ Request MDR 360° Demo
