Ì첩ÈüʹÙÍø

• Between March and May 2025, Lumma Stealer infected more than 394,000 Windows systems globally, with Microsoft identifying this surge as part of a significant security concern across its platforms.
• The FBI estimates that LummaC2 has been used in over 1.7 million cases to steal credentials and financial data, contributing to £28 million in credit card fraud. UK businesses remain a key target, especially within small-to-mid-sized enterprises and digital-first brands.

What Is Lumma Malware?

is classified as an info-stealer. That means it isn’t designed to take over systems or lock files. Its job is to collect data and send it elsewhere.

Originally appearing in dark web markets around late 2022, Lumma has grown rapidly thanks to its malware-as-a-service model. For as little as £192 ($250) a month, cybercriminals can subscribe to its features, receive updates, and distribute payloads through their phishing campaigns.

That model makes it incredibly accessible. And that accessibility has turned Lumma into one of the most reported info-stealers in 2024.

The malware targets browsers first. That includes Chrome, Edge, Firefox, and others. It looks for:

• Stored passwords
• Autofill form data
• Saved credit card numbers
• Active session cookies
• Login tokens
• Local files containing API keys, credentials, or wallet addresses

Why It Matters to Microsoft Users

If you’re using Microsoft Edge, logging into Microsoft 365, or accessing Teams, Outlook, or SharePoint through a browser, you might be leaving behind session data that Lumma can collect.

Lumma doesn’t hack into Microsoft itself. But it makes Microsoft accounts vulnerable by targeting what happens around them—browser sessions, cookie tokens, and saved passwords.

A compromised Microsoft login can be used to access:

• Business email accounts
• Admin dashboards
• Cloud files via OneDrive
• Internal calendars and contacts
• Shared documents with edit rights

Microsoft has acknowledged the broader rise in session hijacking and credential theft attacks, issuing updated guidance for token refresh protocols and browser session handling.

Real-World Impact

In March 2024, security analysts at Resecurity and CloudSEK flagged multiple Lumma infections involving Microsoft 365 credentials.

In one case, a midsized marketing agency in London saw several employee accounts compromised within minutes of a phishing email being opened. Attackers gained access to Outlook and Teams, used internal communications to trick other staff, and pivoted toward SharePoint to exfiltrate client data.

None of the devices were technically infected with a virus in the traditional sense. The attack was silent, conducted entirely through stolen tokens.

How Does Lumma Spread?

Lumma usually arrives through fake attachments or links that lead to installer files. These may look like:

• Invoices in PDF format
• CVs or RFPs in DOC format
• Browser update prompts
• Software cracks or utilities shared via cloud links

The user clicks. The file opens. Nothing happens visibly. But in the background, a script runs. It starts collecting data. And it sends that data to a remote command-and-control panel.

That panel lets the attacker filter information—by location, by browser, and by credentials—and download what they want.

Why Is It Spreading So Fast?

Three reasons:

1. Low cost: Criminals can access Lumma’s infrastructure for a fraction of what more advanced malware costs.
2. High return: Even one set of Microsoft admin credentials can unlock thousands of pounds’ worth of data.
3. Hard to detect: Many antivirus tools only catch Lumma after it has already delivered its payload.

It’s not a question of technical sophistication. It’s a numbers game.

What Makes It Unique?

Lumma isn’t alone. Info-stealers like RedLine and Raccoon operate in similar ways.

But Lumma evolves faster. Its updates roll out weekly. Its file packing methods change frequently. And its community of users trades tactics actively.

Security researchers have reported that Lumma can:

• Circumvent some endpoint detection systems
• Extract Microsoft session tokens without needing a password
• Package stolen data in encrypted ZIP files

How to Know If You’ve Been Affected

You won’t get a pop-up or warning from Microsoft.

But you might notice:

• A password reset notification you didn’t request
• Your 2FA app is lighting up without a prompt
• New login notifications from locations you haven’t visited
• Locked accounts or unusual file sharing activity

These can signal that your Microsoft credentials—or your session—have been compromised.

What Should You Do?

If you manage a team, oversee brand accounts, or use Microsoft tools daily, take these steps:

• Clear browser data regularly
• Avoid saving credentials in browsers
• Use a password manager with breach monitoring
• Enable two-factor authentication on all logins
• Monitor sign-in activity in your Microsoft account dashboard

For IT teams:

• Disable browser-based login persistence for admin accounts
• Set short session lifetimes for shared services
• Use cloud app security policies to flag suspicious logins
• Roll out email gateway filters that can spot obfuscated attachments

The Microsoft Angle

Microsoft has not been breached directly by Lumma. But its services are frequently abused in the attack chain.

That includes:

• Fake Microsoft login pages are used for phishing
• Credential stuffing using previously stolen Microsoft logins
• Use of real Microsoft products to host malicious documents (e.g., OneDrive, SharePoint)

The company has urged enterprise users to adopt conditional access rules and token revocation best practices.

Microsoft Defender has also updated definitions to detect Lumma’s most recent variants.

UK-Specific Risk Factors

In the UK, brands operating on hybrid teams are at particular risk.

Employees may be logging in from personal devices, shared networks, or outdated browsers.

According to the National Cyber Security Centre (NCSC), 67% of UK-based SMEs do not use centralised password managers. Many rely on browser-saved logins for convenience.

That’s exactly the type of environment where Lumma thrives.

What You Need to Watch Next

• Token theft as a trend: Info-stealers are no longer about passwords. They’re about hijacking sessions.
• Browser memory scraping: Some Lumma variants now scan browser RAM directly.
• Credential marketplaces: Stolen Microsoft logins are turning up on underground markets within hours.

If your brand relies on cloud services, these are not distant risks. They are everyday realities.

Final Thought

Lumma doesn’t knock loudly. It slips in.

It rides on your convenience—the saved password, the remembered login, the one-time browser session.

And for brands that rely on Microsoft systems, that subtlety is precisely what makes it dangerous.

Your security is only as strong as your least protected credential. Now might be a good time to check where yours are saved.