Researchers have disrupted an operation attributed to the Russian state-sponsored threat group Midnight Blizzard, which sought access to Microsoft 365 accounts and data.
Also known as APT29, the hacker group compromised websites in a watering hole campaign to redirect selected targets "to malicious infrastructure designed to trick users into authorizing attacker-controlled devices through Microsoft’s device code authentication flow."
The Midnight Blizzard threat actor has been linked to Russia’s Foreign Intelligence Service (SVR) and is well-known for its clever phishing methods that recently impacted European embassies, Hewlett Packard Enterprise, and TeamViewer.
Random target selection
Amazon’s threat intelligence team discovered the domain names used in the watering hole campaign after creating an analytic for APT29's infrastructure.
An investigation revealed that the hackers had compromised multiple legitimate websites and obfuscated malicious code using base64 encoding.
By using randomization, APT29 redirected roughly 10% of the compromised website’s visitors to domains that mimic Cloudflare verification pages, like findcloudflare[.]com or cloudflare[.]redirectpartners[.]com.
Source: Amazon
As Amazon explains in a report on the recent action, the threat actors used a cookies-based system to prevent the same user from being redirected multiple times, reducing suspicion.
Victims that landed on the fake Cloudflare pages were guided to a malicious Microsoft device code authentication flow, in an attempt to trick them into authorizing attacker-controlled devices.
Source: Amazon
Amazon notes that once the campaign was discovered, its researchers isolated the EC2 instances the threat actor used, partnered with Cloudflare and Microsoft to disrupt the identified domains.
The researchers observed that APT29 tried to move its infrastructure to another cloud provider and registered new domain names (e.g. cloudflare[.]redirectpartners[.]com).
CJ Moses, Amazon's Chief Information Security Officer, says that the researchers continued to track the threat actor's movement and disrupted the effort.
Amazon underlines that this latest campaign reflects an evolution for APT29 for the same purpose of collecting credentials and intelligence.
However, there are "refinements to their technical approach," which no longer rely on domains that impersonate AWS or social engineering attempts to bypass multi-factor authentication (MFA) by tricking targets into creating app-specific passwords.
Users are recommended to verify device authorization requests, enable multi-factor authentication (MFA), and avoid executing commands on their system that are copied from webpages.
Administrators should consider disabling unnecessary device authorization flaws where possible, enforce conditional access policies, and closely monitor for suspicious authentication events.
Amazon emphasized that this APT29 campaign did not compromise its infrastructure or impact its services.
Picus Blue Report 2025 is Here: 2X increase in password cracking
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
Related Articles:
The Rise of Native Phishing: Microsoft 365 Apps Abused in Attacks
Attackers exploit link-wrapping services to steal Microsoft 365 logins
Amazon AI coding agent hacked to inject data wiping commands
UK ties GRU to stealthy Microsoft 365 credential-stealing malware
Microsoft Word will save your files to the cloud by default
Original Article Published at Bleeping Computer
________________________________________________________________________________________________________________________________