Unpacking the Latest Threats Targeting the Financial Services Industry

Sherrod DeGrippo: Welcome to the "Microsoft Threat Intelligence Podcast." I'm Sherrod DeGrippo⁠. Ever wanted to step into the shadowy realm of digital espionage? Cybercrime? Social engineering? Fraud? Well, each week, dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry. I'm your guide to the back alleys of the threat landscape. When people think about financially motivated cybercrime, they usually picture independent criminal groups chasing after a quick payout. And that is usually what we see. But today we're talking about something a little more complex, and more consequential. This is threat activity that uses the same techniques as everyday cybercrime, but with different intent and bigger scale. I'm Sherrod DeGrippo with Microsoft, and I come from a threat intelligence background. One of the things that we focus on is understanding how threat actors fund themselves, and how they operationalize accessing money. So today, we're unpacking a threat actor Microsoft tracks at 0727. This group has been active since at least 2022. They're financially motivated, and they are heavily focused on cryptocurrency, financial services, and government targets. Then we'll connect that activity to broader trends that we're seeing across the financial services sector. So let's start from the top. When we say Storm-0727, what do we mean? I have Megan Stalling, Microsoft Security Researcher here to help us understand that. So Megan, how does Microsoft characterize Storm-0727 and what separates this actor from traditional financially motivated cybercrime?

Megan Stalling: Hi! Happy to be here. Okay, so as you said, Storm-0727 this is a financially motivated threat actor, and has been around since 2022, and primarily targeting cryptocurrency exchanges, blockchain startups, online gaming companies, financial institutions, and even government and diplomatic entities tied to economic activity. So think, like, taxes. And what Storm-0727 does is something that is pretty typical of financially motivated threat actors, they use financial industry-themed lures to deliver malicious documents, which are often macro-enabled files to compromise their targets. And what makes these attacks especially effective is just how ordinary they look at first. So an intrusion usually starts with something completely routine landing in an inbox like an invoice, a report, or a work-related document. Nothing that's raising immediate red flags. But once that document is opened and macros are enabled, the attack quietly kicks off. So no flashy malware alerts or obvious exploits. Just a clean foothold for the actor. So macro-enabled documents or maldocs -- malicious documents -- are sort of a throwback. That's something that we haven't seen in quite a while, particularly since a few years ago, Microsoft disabled macros by default in a lot of the Office Suite products. So your classic Excel macros didn't work anymore for malicious purposes, unless you turned that capability back on.

Sherrod DeGrippo: So Megan, help me understand once that document is opened, what happens next? What does Storm-0727 do after that?

Megan Stalling: So once that document is opened, Storm-0727 is going to stay kind of quiet, really operating behind the scenes. So they're going to rely on custom scripts, including Virtual Basic scripts built directly into Windows, which is going to then steal browser credentials in order to maintain persistence. And by blending into normal administrative activity, they can maintain access without dropping tools. They're going to be easy for defenders to spot.

Sherrod DeGrippo: This is very retro. This definitely reminds me of the attack chains from five years ago, especially stealing credentials from the browser. That's a tried-and-true classic TTP that we've seen for many, many years. And it's interesting that this particular threat actor is doing it specifically with financial services-type firms lures, and Megan, help me understand with those lures, they're branded with different financial services companies. Is there any idea about targeting? Are they going after other financial services companies? Are they going after the users of those financial services companies? How does the branding and the lure and the social engineering fit in?

Megan Stalling: This is where social engineering becomes very critical, because Storm-0727 is going to rely on these convincing lures and carefully crafted infrastructure to add just enough legitimacy in order to persuade, to add just enough legitimacy to then persuade the user that the document won't work unless the macros are turned on. So like with most phishing operation, there's going to be a very heavy investment in the infrastructure behind these attacks. Storm-0727 is going to consistently register domains that will support these operations, and those will likely masquerade as legitimate financial or technology companies. So that's really where they get their foot in the door, creating a sense of trust with their targeted users.

Sherrod DeGrippo: I think that that's interesting that it's so specialized in this sort of, like, financial style, and the financial industry, and that they are targeting cryptocurrency, blockchain, gaming, financial services, et cetera. We know that the threat actors that go after cryptocurrency, they tend to go after anything in that world, including influencers on forums, including the actual bitcoin exchanges themselves, including the wallets, including financial services firms that are not DeFi at their core, but are traditional financial services firms that happen to have some kind of cryptocurrency trading desk as well. Really it is going after cryptocurrency all up, because that is an easy foothold to gain to then siphon off a financial reward. So let's talk a little bit about what I found really interesting about this threat actor. They're using one registrar, and that registrar is Namecheap. They are using the same TLDs, such as dot site, dot website, and dot store. Also as I do, I always love to look at the indicators that we have listed in our Defender portal that customers can take a look at if they want to see more about this threat actor. And I notice that they do use dot site. They use dot store as their TLD, but they also use dot lol. Megan, is there any threat actor advantage to using dot lol as a TLD?

Megan Stalling: Not that I can think of.

Sherrod DeGrippo: Probably not. But it's interesting to see when threat actors are registering their own domains, what they're choosing and what they think makes sense. I've always been interested to find out where they're getting those ideas from. Sure, domain takeovers when a threat actor commandeers a legit domain and starts serving malware off of it, that's one thing. But when they're registering their own, it's interesting to see some of these indicators -- navarscope.lol, oceanfitstudio.store, and some of these others just really don't have a lot of connection to anything that I think would be very useful for them.

Megan Stalling: Right. I would love to know where the inspiration comes from for some of these.

Sherrod DeGrippo: Yes, I wonder if they have an app, or they're using some sort of logic to choose what they register for these. Megan, what else do we need to know about Storm-0727?

Megan Stalling: I think the important takeaway here is that they're capitalizing on an industry that's inherently fast-paced, high-volume. So this speed is going to create constant opportunities for both technical and human error, whether that's running outdated software, skipping an update because you don't want to close your 300 tabs, or just opening an email from what might look like a trusted partner. Something I find really interesting too is that this attack chain is very simple and small. It's a custom VB script. It has persistence. It does data exfiltration, pulls credentials out of the browser. This is not an excessive, big ol' honking attack chain like we have seen trend over the past couple of years. It is very purpose-built tooling. It is designed to stay relatively quiet. VB Script blends in very well to legitimate Windows activity, which is what makes VB Script such a classic for threat actors. They have used it for years and years and years. They know how to do it. I think it's interesting. Also I think, I could never say for sure, it's not something that you can always know definitively, but I would take a guess that there is not any AI creation of this threat. They're not making things any more complicated or creative for themselves than they need to be.

Sherrod DeGrippo: I agree. If you got a good thing going, don't change it up.

Megan Stalling: And for them, I think that this old-school tactic has been working, and it'll probably continue to work for them into the future.

Sherrod DeGrippo: I agree, and I think that's one of the things that when you talk to people who've been doing intel analysis or malware or tracking infrastructure or detection engineering, when they're been doing it for a long time, it is very evident and natural to them that threat actors will just do the bare minimum thing that works. And you talk to people who are new in the space or not in the space at all, and they are sort of breathless and oh, aren't they doing all these new, incredible cutting-edge -- no. Very rarely. Very rarely do we ever see threat actors doing things that are mind-blowingly cutting edge, complicated, impressive. There are absolutely those apex predator-level threat actors out there that are very, very impressive. Typically nation-sponsored threat actors that are doing things that are shocking and impressive in their efficacy and their ability to maneuver and things like that. But I think Storm-0727 really shows us that when it comes to actions on objectives, you do what it takes to get the job done and you move along. You don't need to overcomplicate it. You don't need to overengineering your threat. Threat actors know that. They don't waste engineering cycles. And if they don't have to have an overly complicated attack chain, they won't. So that just goes back to imposing cost. When you impose cost, they do have to start overengineering their attack chains. They do have to start looking for creative ways. And just like the pyramid of pain teaches us, the more that you take away from threat actors, the harder their lives become, and the easier it becomes for defenders. So let's talk about what we're seeing across the financial services industry more broadly. With me, I have Anna Seitz, Security Researcher at Microsoft. Anna, what are the threat trends that are heading up the financial services threat landscape right now?

Anna Seitz: Definitely. So we are seeing three interrelated trends that took prevalence over 2025, and those three trends are that ransomware campaigns are increasingly combining data theft with coercion to pressure organizations into payment. That's the first one. Second one is social engineering and phishing-as-a-service platforms continue to enable threat actors to scale their credential theft campaigns and also bypass multifactor authentication. And the third trend is business email compromise, takes advantage of trusted email workflows, and often leverages impersonation and domain spoofing, along with social engineering to redirect funds or capture sensitive information. and we've seen quite a lot of BEC in 2025.

Sherrod DeGrippo: Okay, let's start with BEC then. BEC -- I could do so many episodes of this podcast about BEC, because it is absolutely to me one of the most interesting and creative threat types on the landscape. When we think about email threat, which for better or worse is where I've spent, you know, almost a decade of my life. A decade of my life and buckets of tears. Email threat, you basically got two choices. You can weaponize an attachment; you can weaponize a link. That's all you got to play with. There's no, you know, vulnerabilities to find exploits for, there's no traffic to compromise. Like there's no anything to do with email as your vector other than a malicious link or a malicious attachment. But BEC doesn't need either of those. It weaponizes the body of the email, the actual message communication. This is where the attacker just abuses the relationship to trick you with words. Like impersonation, social engineering, timing. BEC is really interesting, because it has no significant technical mechanisms.

Anna Seitz: No, it's fascinating. And just even to take a snapshot in the month of September of 2025, Microsoft detected over 3.3 million BEC attacks. It's a humungous number.

Sherrod DeGrippo: And there's a couple of things I think that that can tell us. Anybody can get in the game in BEC. I'm not encouraging you to do this, but if you wanted to get in the game in BEC and become a criminal, you can just send out some emails, telling lies to people. That's really is all it takes, is you just start sending emails saying I'm so-and-so, and you owe me money. Or getting involved in maybe you can compromise an account and start sending emails from that account that changes payment information for a business. There is an incredible amount of flexibility and creativity that comes with BEC because there's no malware needed. There's no phishing landing page needed. There's no infrastructure. There's no command and control. You don't need to do anything on that host. You just need to send a convincing enough message to get your target to do wha you want them to do.

Anna Seitz: Totally. And even further, to get more granular with our data here, the majority of BEC attacks started out with a generic task request, other than a specific request. So it was kind of a scorched earth approach to blanket -- these blanket email campaigns, and like you say, it is based on deception rather than malware. So it makes it very difficult to detect. And it also results unfortunately and usually in very substantial financial losses.

Sherrod DeGrippo: And something else that I think is always worthwhile to point out with BEC is that it works just as well in MFA-enabled environments because it is not about authentication. It is not about technical authentication. It relies on the fact that the victim receives the email and believes that the sender is who they say they are and is telling them the truth. It isn't that different from walking up to someone on the street and saying, I'm the company that does your landscaping and you owe me $200. Please give me $200. Like, literally you could BEC that. It's just such a strangely non-technical mechanism, but these threat actor groups that do BEC, they are very organized. And they will go to great lengths to make their story seem believable as far as setting up, getting a legitimate business license, applying for permits at state and local agencies. They'll create all kinds of fake collateral, fake websites for this business that they supposedly have, but it -- all it is is fraud via email with all kinds of kind of elaborate stories behind it.

Anna Seitz: Yes.

Sherrod DeGrippo: If I was going to do any kind of cybercrime, I would do BEC. I think it is the most -- I would never do any cybercrime, because obviously my entire life and career has been dedicated to stopping it. But from the perspective of difficulty as a defender, if I were to say what is the hardest thing to fight against at scale and what is the thing that is coming at us the hardest? I really do think it is BEC. I think every company and every individual is completely prone to having something like this happen to them. So let's talk ransomware, another topic that I am very interested in, that I've been tracking for a really long time. We've had some of the ransomware greats on here, like Allan Liska. Anna, what is ransomware looking like on the financial services landscape?

Anna Seitz: So the most active ransomware offering right now on the financial services landscape, between January and September of 2025, is Qilin, and that accounted for nearly 15% of the total ransomware activity. We also have accounts of Akira following that, around 11%. And this is really illustrating the concentration of activity among kind of a small number of ransomware offerings.

Sherrod DeGrippo: So you mentioned Qilin ransomware or "quill-en." It's Q-i-l-i-n. I don't think we know how to pronounce it correctly. I'm very open to hearing from anyone who knows how to say it. It's been around since 2022. It includes double extortion as part of the attack chain, usually mid-to-large organizations and they are ransomware-as-a-service group. So they've got the developers that build and maintain the ransomware, and then they have the affiliates that actually do the intrusions and deploy that payload. And you may have seen some reports that refer to it as "agenda ransomware," and that was kind of an earlier branding. These things get mixed up and complicated because of the different threat actor groups and the affiliates and things. This is a pretty organized one, Anna. Qilin is a ransomware that has developers and has teams working on it, and things like that.

Anna Seitz: Yes, it definitely does. And you've hit on that point that the ransomware paired with extortion, that's also something that we've seen an increase of in the past quarter. And that's become a more prevalent ransomware trend over the past year as well.

Sherrod DeGrippo: For Qilin, I think it's important to kind of talk a little bit about what that flow looks like. So it starts with phishing, stolen credentials, and then they start looking to exploit known and patch vulnerabilities. They may purchase access from an initial access broker. They look for those reliable access paths. Novel exploits are not the business that they're in. They're looking at getting in quickly, as we know. I mentioned a lot of threat actors do what it takes and then stop there. Once they're inside, they do a lot of living off the land. They use the legitimate admin tools that come on those systems. They disable security controls where they can, and they start moving laterally, again using utilities that are resident on those hosts. That way it's harder to detect them. But talk a little bit about double extortion, Anna. You've looked at ransomware for a long time. Are you starting to see the encryption ransom plus that extortion side become more prevalent? Are we starting to see anything creative there?

Anna Seitz: Yes, I do think it is creative. I mean, these bad guys to put it in a different term are really just trying to increase their exposure so that they can have maximum leverage. So you know, they're gaining access through stolen credentials, whether through phishing or unpatched vulnerabilities, and then just trying to move laterally to identify those high-volume systems. Things like payment processors and trading platforms or customer data stores. That's where, you know, obviously the financial threat landscape is a very high-value sector to target for criminals that are participating in these types of things.

Sherrod DeGrippo: I think it's interesting too, that these threat actors will do whatever it takes to get paid. So that really is the DNA of the financially motivated threat actor or crimeware, as we like to talk about it. They aren't focused -- Qilin specifically is not focused on a particular industry. We see them in the financial services threat landscape; that's our main focus to talk about today. But they also have been observed in manufacturing, healthcare, professional services, technology. And those are organizations a lot of time where downtime is super expensive, and any public exposure is also incredibly impactful to those organizations. That's generally the profile that most ransomware groups are going to look for, is where that organization knows that downtime hurts so bad and costs them so much money that they really can't tolerate it, and so will make the choice more likely to pay the ransom. That's the equation that threat actors use. That is the math that they do when choosing targets. And then there's another element of target choice that I think is important, which is what the security posture of that organization is known to be. Even if it's not 100% visible or 100% well-known, if an organization starts developing a reputation for spending money on security, and spending money on being technology-forward, a lot of times right after say, you know what? They probably have enough controls in place that it doesn't make sense for us to go after them. Threat actors want to find an organization where that downtime is really expensive, and it's probably not as well-secured. So Anna, Qilin is a ransomware-as-a-service. They use stolen credentials, unpatched systems. What else do we need to know about Qilin?

Anna Seitz: I think Qilin is going to remain to be very prevalent as a ransomware offering on the threat landscape, and we also continue to see it pop up as a ransomware offering in many other industry landscapes as well.

Sherrod DeGrippo: So Anna, something I talk about a lot is social engineering, because when your technical controls are tight, when everything's updated, when you've got a good patch management strategy in place, when you're doing, you know, detection and response. When your security posture is relatively together, social engineering often still works. And so a lot of threat actors know that, and they go ahead and do the social engineering to get what they want. So what are we seeing on the social engineering side of the house when it comes to the threat landscape and financial services?

Anna Seitz: So social engineering and phishing specifically is the dominant initial access vector that's impacting the financial services sector. And it continually keeps representing the largest share of observed incidents across all industries. Threat actors will continue to exploit this human trust through impersonation. And one other thing I think we can hit on is the rise of phishing-as-a-service platforms like EvilProxy has also really lowered the barrier to entry by enabling large-scale AI-enhanced campaigns that bypass MFA, NFA detection.

Sherrod DeGrippo: So something that's interesting about EvilProxy, and there's a couple of these, they use an attacker-in-the-middle capability to put a malicious web server between the victim and the legitimate sign-in service. Because then the user looks at this and sees a real login page. The URL generally looks convincing, and then the normal MFA prompt behavior is there. But the attacker is able to watch everything in real time, and is able to siphon off the credentials, any MFA approvals or any cookies that are presented. This is not something where a threat actor steals your password and logs in later. They log in at the same time as you. We're seeing more and more attacker-in-the-middle capabilities. Anna, what do you think is it going to take for there to be any kind of evolution there?

Anna Seitz: I see the evolution being that attackers are starting to combine multiple techniques together, like social engineering with these automated phishing ecosystems, and they're streamlining that credential theft. And then that also lays the foundation for follow-on ransomware and extortion campaigns, and then also the business email compromise operations that we had talked about.

Sherrod DeGrippo: I think that attacker-in-the-middle is really -- it's a good example of when defenders innovate, threat actors will innovate back. It doesn't require malware. It's not like a brute force thing. It's not a failure of MFA. It really is, in many ways, a social engineering function. Like it has to have some element of tricking that user into doing something that you want them to do in order for it to work. A lot of things that attacker-in-the-middle can facilitate is email account takeover. They can do data theft and then they can replay those tokens and remain persistently logged in, into whatever they were able to get in the middle of and continue having access to that particular account if they have been able to successfully log in. And unfortunately, one of the hardest parts for defenders is that when you're looking in your logs when someone has experienced an attacker-in-the-middle and been a victim of that, what you see in your logs is "user successfully authenticated." You see standard successful technology functionality. And it is a giant red flag that's not a red flag. So it's very hard to defend against. So Anna, I know that there are some "vulns" that we wanted to talk about. What is it looking like on the vulnerability landscape these days?

Anna Seitz: We took a deep dive look at some of the vulnerabilities specifically impacting the financial services sector, and what we see is that attackers are continue to rely on well-known, long-disclosed vulnerabilities that are widely exploitable due to the incomplete patching or legacy infrastructure. And that's a common trend across all industries.

Sherrod DeGrippo: What's the answer here?

Anna Seitz: The answer is to patch! If you can, please patch. When you get an update, please patch.

Sherrod DeGrippo: I think that we have been telling people to apply their patches. It's like eat your vegetables, take your vitamins, you know, get your teeth cleaned. We're asking people to do real security hygiene here. And when you don't, that's when threat actors can see an opportunity. And we know as an example, threat actors have automated reviews set up looking for new CBEs to come out. The minute those new CBEs come out, threat actors begin looking for a way to exploit them and try and create an exploit that they can then use against organizations in the wild. That process happens so fast, and in many cases, is automated, and with AI will get even faster, because AI is an acceleration mechanism. The faster you can patch, the better your security posture will be, and the more you'll be able to devote resources to things that could have even bigger impact in your environment. Anna Seitz, Megan Stalling, Security Researchers at Microsoft, thank you so much for joining me on the "Microsoft Threat Intelligence Podcast." We will see you again soon.

Anna Seitz: Thank you for having us.

Megan Stalling: Thank you. [ Music ]

Sherrod DeGrippo: Thanks for listening to the "Microsoft Threat Intelligence Podcast." We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode will decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out msthreatintelpodcast.com for more and subscribe on your favorite podcast app. [ Music ]