Volexity has reported multiple Russian threat actors conducting social-engineering and spear-phishing campaigns aimed at compromising Microsoft 365 accounts through Device Code Authentication phishing. These campaigns have political themes, targeting various governmental and institutional entities. Users may not recognize the atypical workflow as phishing, leading to successful compromises.
Affected: Microsoft 365, United States Department of State, Ukrainian Ministry of Defence, European Union Parliament
Affected: Microsoft 365, United States Department of State, Ukrainian Ministry of Defence, European Union Parliament
Keypoints :
- Russian threat actors are using social-engineering and spear-phishing tactics to target Microsoft 365 accounts.
- Attacks primarily utilize Device Code Authentication phishing, which has proven effective due to its atypical user workflow.
- Campaigns have been themed around political contexts, particularly in relation to the new US administration.
- Volexity observes multiple threat actors but links at least one to CozyLarch, associated with APT29.
- Various impersonated entities include the US Department of State and the Ukrainian Ministry of Defence.
MITRE Techniques :
- Social Engineering (T1598) β Threat actors manipulate individuals into divulging confidential information via impersonation of trusted entities.
- Phishing (T1566) β Spear-phishing emails are crafted to look legitimate, prompting users to breach security protocols.
- Device Code Authentication Phishing (T1548.008) β Attackers guide victims to enter a device code on a legitimate login page, granting unauthorized access.
- Account Compromise (T1078) β Successful phishing leads to unauthorized access to usersβ Microsoft 365 accounts.
- Exfiltration Over Command and Control Channel (T1041) β Data exfiltration occurs post-compromise via controlled sessions.
Indicator of Compromise :
- [Email] brensonkarl@gmail[.]com
- [Email] kaylassammers@gmail[.]com
- [Email] kendisggibson@gmail[.]com
- [Email] leslytthomson@gmail[.]com
- [Email] mikedanvil@gmail[.]com