23.07.2025
2 min
529
The UK’s National Cyber Security Centre (NCSC) has announced the deployment of a new malware called AUTHENTIC ANTICS. It is being developed by the Russian military’s GRU, which disguises cyberattacks as legitimate Microsoft Outlook actions, hijacking users’ cloud accounts.
The new malware, associated with APT 28 (aka Fancy Bear, Forest Blizzard or Blue Delta), is targeting Microsoft services through phishing login windows. These appear periodically in Outlook and look very similar to the usual Microsoft logins. This trickles down to users and they enter their real logins and passwords.
The malware not only intercepts this data, but also OAuth tokens, which are access keys to services such as OneDrive, SharePoint and Exchange Online. The stolen data is delivered using a fake email from the victim’s account — and the emails are not stored in the Sent folder, making it much harder to detect.
APT 28 is one of the most notorious Russian intelligence units, linked to numerous attacks on government and infrastructure sites around the world. In this case, the malware developers worked carefully to disguise themselves — to appear as part of the familiar Microsoft user experience.
The NCSC warns that all network connections go through legitimate Microsoft servers, making AUTHENTIC ANTICS virtually invisible to monitoring systems.
British services have not only exposed the attack, but also called for sanctions against Russian spies. They emphasized that intrusion into the personal digital environment of citizens is a red line. Ignoring such threats only paves the way for further violations. AUTHENTIC ANTICS is further proof of how thin the line between user experience and malicious code has become.
