Most organizations still focus solely on “tactics, techniques, & procedures (TTPs)” used by threat actors. That’s a mistake.
Today’s biggest financial losses don’t start with custom malware or zero-days. They start with industrialized cybercrime infrastructure, which is scalable and purpose-built to make cyber fraud fast, cheap, and hard to trace.
Microsoft tracks one of the most active examples as Storm-2470, the operator behind RedVDS, a virtual dedicated server (VDS) platform purpose-built for cybercriminals. Storm-2470 doesn’t run phishing campaigns or steal money directly. It does something more dangerous: it supplies the infrastructure that enables dozens of criminal groups to do it at-scale.
What Is RedVDS and Why It Matters
RedVDS is a Windows-based RDP hosting platform marketed as “high-performance” infrastructure with:
- Dedicated hardware and full admin control
- Rapid host creation and mass mailer support
- High uptime, unlimited traffic, and anti-DDoS
- Cryptocurrency payments and privacy-first operations
In plain terms: it’s turnkey cybercrime hosting. Threat actors use RedVDS to:
- Launch mass phishing and QR-code phishing campaigns
- Execute business email compromise (BEC)
- Host phishing kits (PhaaS)
- Perform lateral movement via RDP once credentials are stolen
- Conduct payment cyber fraud using hijacked or look-alike domains
This infrastructure has already been used against nearly 900 organizations, primarily across the U.S., UK, Canada, and Western Europe.
Who’s Being Targeted
RedVDS-enabled campaigns focus on organizations where email trust equals money.
Most targeted regions
- United States
- United Kingdom
- Canada
- Western & Central Europe
Most impacted sectors
- Construction & Real Estate
- Wholesale Distribution
- Healthcare
- Architecture & Engineering
- Primary & Secondary Education
These industries share one thing in common: frequent invoicing, payment workflows, and vendor trust chains, all prime conditions for BEC and payment redirection cyber fraud.
Real-World Impact: Tens of Millions Lost
One of the most damaging RedVDS-backed operations involved Tycoon Group (Storm-1747):
- QR-code phishing PDFs impersonating HR payroll notifications
- Abuse of Microsoft 365 Direct Send
- Credential harvesting via fake Microsoft login pages
- Account takeover followed by trusted-sender invoice cyber fraud
Once a mailbox was compromised, attackers pivoted laterally to target partners, suppliers, and finance teams. Result: tens of millions of dollars wired directly to attacker-controlled accounts.
No ransomware. No malware alerts. Just email trust abused at machine scale.
Why Traditional Security Keeps Missing This
Here’s the uncomfortable truth:
- Secure email gateways alone won’t stop this
- Signature-based detections lag infrastructure rotation
- SOCs drown in alerts while attackers move fast
- Automated tools act without business context or not at all
Storm-2470 thrives because most defenses are reactive, while this infrastructure is designed for speed, anonymity, and scale.
How CyberMSI Breaks the RedVDS Attack Chain
Stopping infrastructure-enabled cyber fraud requires more than tools. It requires accountable response at AI-driven speed in combination with expert analyst judegement.
CyberMSI is purpose-built for exactly this threat model:
- 24/7 MDR service with Microsoft Defender XDR + Sentinel SIEM to detect anomalous email behavior, identity abuse, OAuth misuse, and RDP-based activity
- Identity-centric detections to catch credential harvesting and thwart mailbox takeover early
- AI-driven analysis across email, identity, endpoint, and cloud signals to surface BEC patterns fast
- Analyst-on-the-loop response to disable accounts, block domains, revoke tokens, and stop payment cyber fraud before money moves
- Context-aware decisioning so legitimate finance workflows aren’t blindly disrupted
This is exactly the type of threat where automation alone fails and human-only SOCs fall behind.
Bottom Line
Storm-2470 proves cybercrime has become an infrastructure business. If your security strategy isn’t designed to detect who’s abusing your identities, email trust, and payment workflows in real time, you’re already exposed.
Prevention isn’t enough. Visibility isn’t enough. Only trusted execution, accountability, and context wins.
At CyberMSI we’ve an “AI + analyst-on-the-loop” SOC model to help customers mitigate risk, cut costs and prevent disruptions with AI while our analysts execute response actions or approval workflows based on business context, not generic playbooks.
Powered by Microsoft Unified Security Operations using Microsoft Defender XDR and Microsoft Sentinel SIEM, we deliver MDR for AI agents, identities, endpoints, data, multi-cloud, and third party access.
Our difference is not AI-based automation alone; it is Accountable & Intelligent automation.
Get Your Free AI Security Risk Assessment to Detect Hidden Threats in Your Microsoft Environment.
#CyberSecurity #MDR #ThreatDetection #IncidentResponse #CISO #RiskManagement #CyberResilience