Storm-1167 is a threat actor first publicly documented by Microsoft in June 2023, known for orchestrating multi-stage Adversary-in-the-Middle (AiTM) phishing and Business Email Compromise (BEC) campaigns primarily aimed at financial gain, though initial tracking by Microsoft is for emerging clusters until higher confidence about their full scope or state-sponsorship is reached. This group distinguishes itself through its unique use of an indirect proxy AiTM phishing kit, enabling flexible tailoring of spoofed login pages and effective bypass of multi-factor authentication (MFA) by capturing session cookies. The group has been observed adding new MFA methods to compromised accounts for persistence and launching large-scale secondary phishing campaigns from victim mailboxes. Storm-1167 is also tracked under the alias DEV-1167.