FlowerStorm (KrakVM) evades email filters and the NIS 2 stakes

Executive takeaway: here is what just happened (FlowerStorm/KrakVM), how to prevent it (hardened email gateway + DMARC/SPF/DKIM, IOC/TTP‑enabled SOC, phishing‑resistant MFA), and how to notify the ILR within 24h/72h if required.

What happened

On 14 May 2026, Sublime Security published an in‑depth analysis of an active campaign run by the phishing‑as‑a‑service kit “FlowerStorm.” Key point: HTML attachments carry obfuscated malicious code executed inside a JavaScript virtual machine (KrakVM), recently open‑sourced. When opened in the browser, the attachment renders a fake interface (often “voicemail” or invoice) to collect credentials and MFA codes, with an adversary‑in‑the‑middle (AiTM) relay to hijack sessions.

The report lists 153 IOCs, e.g., 2067612207-1317754460.cos.eu-frankfurt.myqcloud[.]com, iphgo.office0utloot356comonauth[.]line, ableg.docufiled[.]com. Primary source: Sublime Security (14 May 2026). Media coverage: CSO Online (14 May 2026).

Why this matters for the EU and Luxembourg in May 2026:

• The payload arrives via HTML attachment (no explicit URL) and is encoded as bytecode, evading many static detections at the gateway.
• The kit tailors the interface to the targeted service (Microsoft 365, GoDaddy…), enumerates the victim’s MFA methods (push, TOTP, SMS, voice call) and intercepts MFA challenges in real time.
• Observed hosting relies on multi‑region object‑storage domains (Singapore, Frankfurt, Tokyo, Ashburn…), complicating simple blocklists. Public IOCs: see Sublime’s post above.

The legal framework

NIS 2 in Luxembourg (Law of 5 May 2026): essential and important entities must implement “cybersecurity risk‑management measures” (Art. 21), including anti‑phishing and integrity of information systems. They must notify a significant incident “without undue delay and no later than within 24 hours” (early warning), then within 72 hours (notification), then a final report within one month (Art. 23). The ILR details the process and SERIMA for national notification. References: ILR — NIS 2 and ILR — 24h/72h/1‑month notification, SERIMA. For a practical entry point, see NIS 2 in Luxembourg.

GDPR, Article 32 (security of processing): general duty to implement appropriate technical and organisational measures (strong authentication, logging, access control) to prevent unauthorised access to personal data compromised via phishing. Reference: EUR‑Lex — GDPR (Art. 32).

In practice, regulators expect:

• Preventive controls (advanced email filtering, phishing‑resistant authentication, DMARC/SPF/DKIM).
• Timely detection and alerting to meet the 24h/72h windows (NIS 2).
• Logs and evidence to support investigation and notification (NIS 2 Art. 23; GDPR Art. 32).

The technical solution to deploy

Goal: block entry (obfuscated HTML, QR/“quishing”, AiTM links), detect early, and preserve artefacts usable for SERIMA and, if needed, for GDPR notification.

1) Email gateway + domain authentication (DMARC/SPF/DKIM)

• Role: filter HTML attachments, detect obfuscated JavaScript (high entropy, non‑standard Base64 alphabets), URL disarm, controlled sandboxing with dynamic rendering.
• DMARC/SPF/DKIM: reduce domain spoofing, useful against FlowerStorm’s “voicemail/invoice” lures imitating brands. Requires monitoring aggregated DMARC reports to spot spoofing campaigns.
• Standards: ISO 27001:2022 A.8.23, A.5.17; CIS Control 9; NIST CSF 2.0 DE.CM, PR.PS.

2) Behavioural detection and Threat Intel (IOCs + TTPs)

• Role: ingest confirmed IOCs (e.g., numbered myqcloud[.]com subdomains listed by Sublime) and detect TTPs: .html attachments with VM/bytecode encoding, variables “__krak_throw,” custom Base64 alphabets, KrakVM artefacts, AiTM MFA paths.
• Legal benefit: speeds up “significant incident” assessment and 24h/72h SERIMA qualification (NIS 2 Art. 23). Refs: Sublime, IOCs; CSO Online.

3) Phishing‑resistant authentication (FIDO2/WebAuthn) for sensitive accounts

• Even if the vector is email, FlowerStorm captures OTP/TOTP. Origin‑bound factors (FIDO2, passkeys) break the AiTM effect. Aligns with GDPR Art. 32 and NIS 2 Art. 21.

4) Logging and forensic SIEM

• Log HTML attachment opens, clicks to suspicious domains, anomalous SSO attempts, suspicious/failed MFA; retain artefacts for evidence and post‑mortem.

How Luxgap delivers

Our 24/7 managed SOC for incident detection integrates your email gateway, EDR/XDR, and reverse proxy. We correlate “obfuscated HTML/JS + non‑standard Base64 alphabets + ‘voicemail’ emails” with public IOCs (e.g., encrypted myqcloud[.]com subdomains listed by Sublime). On alert, we open a ticket, isolate the compromised mailbox, revoke sessions/tokens, and prepare the SERIMA template (24h/72h steps).

Our dark web monitoring covers 12+ sources (forums, pastes, Telegram channels) to detect reuse of FlowerStorm domains/infrastructure and map artefacts to your look‑alike domains for preventive blocking.

Our ISO 27001 governance frames the email policy (block .html attachments, disable “data:” anchors, QR/“quishing”), DMARC to “quarantine/reject” with monitoring, NIS 2 notification procedure (who does what at H+4/H+24/H+72), and audit evidence.

Three‑week rollout

• T0–T7: harden the gateway (HTML/JS policies, sandbox, URL rewriting), deploy DMARC “quarantine,” SOC playbooks “FlowerStorm/KrakVM” + IOCs.
• T8–T14: detection tests (benign campaigns), switch DMARC to “reject,” integrate SERIMA (notification template).
• T15–T21: review MFA for sensitive accounts (FIDO2 for admins/privileged), 90‑min response drills with CISO/DPO (ILR notification, GDPR breach alignment). To strengthen the human layer, schedule awareness and simulated phishing.

Real‑world case in Luxembourg/EU

An “important” NIS 2 IT services firm (125 staff, EU B2B) faced multiple “New Voice Msg” emails with .html attachments. In six weeks we:

• Systematically blocked .html attachments with non‑standard Base64 alphabets and suspicious “write” tags;
• Migrated DMARC from “none” to “reject” with DKIM tuning across four third‑party sending domains;
• Deployed IOC blocking on gateway/proxy (e.g., patterns *.cos.*.myqcloud.com with abnormal numbering) and a SOC playbook for mailbox purge and MFA reset;
• Documented a SERIMA procedure: early warning at H+12, notification at H+60 (≤72h), artefact collection (email headers, attachment hashes, access logs). Outcome: one successful attempt spotted on D+0, contained by H+3, no proven exfiltration, no GDPR notification required; demonstrable NIS 2 compliance.

Immediate next steps

• Block .html attachments at the gateway except a controlled allow‑list; enable dynamic rendering analysis for obfuscated JavaScript (entropy, VM bytecode, custom functions like “__krak_throw”).
• Set DMARC to “quarantine” within 7 days and “reject” within 30; monitor aggregate reports to spot domain spoofing.
• Feed FlowerStorm IOCs (sample above) into your controls and automate refresh; add TTP rules (HTML attachment + non‑standard Base64 alphabet + “voicemail/invoice” theme).
• Harden privileged accounts with FIDO2/WebAuthn; forbid reusable OTPs on these accounts.
• Draft the “NIS 2 Art. 23” playbook: who triggers ILR early warning within 24h, who completes the 72h notification, which logs/artefacts to attach, and how to coordinate with potential GDPR notification.

Need hands‑on support? Reach out via the Luxgap contact page.

Official sources

• FlowerStorm/KrakVM IOCs and analysis (14 May 2026): Sublime Security; coverage: CSO Online.
• NIS 2 in Luxembourg (ILR): NIS 2 page, 24h/72h/1‑month notification, SERIMA.
• GDPR Art. 32 (security of processing): EUR‑Lex.