Microsoft said it detected and blocked a prolific phishing campaign dubbed Storm-0900 that used holiday-themed lures to trick victims into running malicious scripts leading to XWorm remote-access malware. Security reporting highlighted the campaign's scale and multi-step social-engineering techniques.

Microsoft's security teams reported detection and widespread blocking of a large-scale phishing operation labeled Storm-0900, which used timely holiday-themed lures such as fake parking tickets and fabricated medical test results to coerce targets into executing malicious scripts. Attackers relied on multi-step social engineering, including false verification pages, slider CAPTCHAs and staged prompts that convinced users to enable macros or execute payloads. The campaign aimed to deploy modular XWorm malware capable of remote access, credential harvesting and lateral movement, enabling persistent access and data exfiltration. Microsoft and independent security outlets noted the use of automated distribution techniques combined with human-run follow-up to increase success rates, and stressed the campaign's high volume during peak season. Recommended mitigations include enforcing endpoint protections, disabling macro execution by default, applying available patches, using multi-factor authentication, and training users to verify unexpected prompts and attachments. The incident underscores the continued evolution of phishing where social-engineering finesse and automation converge to produce high-impact holiday scams.