01.09.2025
2 min
497
Amazon researchers have blocked a campaign by Midnight Blizzard (APT29), a group affiliated with the Russian Foreign Intelligence Service, that targeted Microsoft 365 accounts. The hackers used infected websites and fake Cloudflare pages to trick victims into authorizing devices controlled by the attackers.
Amazon Threat Intelligence experts found that APT29 had compromised a number of legitimate websites and added malicious JavaScript encoded in base64. Approximately 10% of visitors to these pages were redirected to fake domains such as *findcloudflare\[.]com*.
These phishing pages tricked users into going through the Microsoft Device Code Authentication procedure, but this time for the hackers’ benefit. The cookie-based system ensured that the same victim was not redirected multiple times to avoid suspicion.
Amazon, Microsoft, and Cloudflare were able to isolate the EC2 servers used by the group and take down the identified domains. Despite this, APT29 attempted to migrate its infrastructure to other cloud services and register new domains.
APT29 (also known as Midnight Blizzard) is one of the most dangerous cyber groups operating on behalf of Russian intelligence. It is known for its sophisticated phishing techniques and attacks on government agencies and companies, including Hewlett Packard Enterprise, TeamViewer, and European embassies.
The current campaign demonstrates an evolution in tactics: hackers are no longer masquerading as AWS or attempting to bypass MFA through app-specific passwords, but are instead looking for new methods to collect data and credentials.
Despite the rapid response from Amazon and its partners, APT29’s activities indicate a continued improvement in Russian cyber operations. Experts advise users to verify all device authorization requests, use multi-factor authentication, and avoid copying commands from untrusted websites. Administrators are advised to implement conditional access policies and disable unnecessary authorization mechanisms.
