Void Blizzard is a Russia-affiliated threat actor conducting targeted espionage primarily against NATO member states, Ukraine, and critical sectors in Europe and North America using stolen credentials and spear phishing. The group exploits cloud services like Exchange Online and Microsoft Graph to exfiltrate large volumes of emails and files, with recent tactics including man-in-the-middle phishing campaigns using fake Microsoft Entra portals. #VoidBlizzard #LAUNDRYBEAR #Evilginx #MicrosoftEntra
Keypoints
- Void Blizzard has been active since at least April 2024, targeting organizations aligned with Russian government interests, especially in NATO states and Ukraine.
- The threat actor primarily uses stolen credentials, likely purchased from criminal markets, and employs password spraying and spear phishing for initial access.
- In April 2025, Void Blizzard began conducting man-in-the-middle spear phishing campaigns leveraging the Evilginx framework and typosquatted Microsoft Entra authentication portals.
- Post-compromise activities include abuse of Exchange Online, Microsoft Graph API, and sometimes Microsoft Teams to bulk collect emails, files, and internal communication data.
- Microsoft recommends hardening identity and authentication, enabling conditional access policies with sign-in risk evaluation, and enforcing multifactor authentication (MFA) to mitigate Void Blizzard activity.
- Collaboration with partners like AIVD, MIVD, and FBI has enhanced investigation and detection of Void Blizzard operations.
- Microsoft Defender XDR and Microsoft Sentinel provide detection capabilities and hunting queries for identifying Void Blizzard-related phishing and credential theft incidents.
MITRE Techniques
- [T1110] Brute Force – Void Blizzard uses password spray and stolen credentials to gain initial access. (“Their operations predominately leverage unsophisticated techniques for initial access such as password spray and using stolen authentication credentials.”)
- [T1566.001] Phishing: Spearphishing Attachment – The threat actor sent emails with a malicious PDF containing a QR code leading to credential phishing infrastructure. (“The attachment contained a malicious QR code that redirected to Void Blizzard infrastructure…”)
- [T1556.001] Man-in-the-Middle – Using the Evilginx framework, Void Blizzard performs adversary-in-the-middle attacks to steal login credentials and session cookies. (“We assess that Void Blizzard is using the open-source attack framework Evilginx to conduct the AitM phishing campaign…”)
- [T1560] Archive Collected Data – Bulk collection of emails and files via cloud APIs like Exchange Online and Microsoft Graph. (“Likely automates the bulk collection of cloud-hosted data…”)
- [T1078] Valid Accounts – Use of legitimately stolen or purchased credentials to access cloud services. (“They often use stolen sign-in details that they likely buy from online marketplaces to gain access…”)
- [T1086] PowerShell – Use of AzureHound tool to enumerate Azure AD configurations. (“Enumerated the compromised organization’s Microsoft Entra ID configuration using the publicly available AzureHound tool…”)
Indicators of Compromise
- [Domain] Phishing infrastructure and typosquatted domains – micsrosoftonline[.]com, ebsumrnit[.]eu
- [File Hash] Examples of malware associated with credential theft (not explicitly listed, but related to commodity infostealers)
- [Email Subject Keywords] Common phishing email keywords – account, alert, bank, billing, card, change, confirmation, login, password, mfa, authorize, authenticate, payment, urgent, verify, blocked
- [Tool] AzureHound – Used for tenant enumeration and reconnaissance on compromised Microsoft Entra ID environments
- [Platform] Microsoft Entra authentication portal spoofed – phishing target for credential theft