Researchers disrupted an operation by the Russian threat group Midnight Blizzard, also known as APT29, targeting Microsoft 365 accounts through sophisticated watering hole campaigns. The attack involved malicious redirects mimicking Cloudflare sites to trick users into authenticating attacker-controlled devices. #MidnightBlizzard #APT29 #Microsoft365 #WateringHole
Keypoints
- The threat group APT29, linked to Russiaβs SVR, conducted a campaign targeting Microsoft 365 data.
- They compromised legitimate websites and used obfuscated code for malicious redirects.
- The attack involved fake Cloudflare pages directing victims to malicious device authentication flows.
- Amazon, Cloudflare, and Microsoft collaborated to disrupt the malicious infrastructure.
- Refinements in APT29βs tactics include moving away from impersonating AWS and bypassing MFA.