Microsoft warns of Midnight Blizzard spear phishing campaign

Microsoft warned that a Russian nation-state threat actor known as Midnight Blizzard is conducting an ongoing spear-phishing campaign against a variety of targets including government agencies.

In a blog post published on Tuesday, Microsoft detailed a "large scale spear phishing campaign" it attributed to Midnight Blizzard, the same actor that breached the tech giant earlier this year and was responsible for the notorious supply chain attack against SolarWinds in 2020. Microsoft initially observed the ongoing spear phishing campaign beginning on Oct. 22 and assessed Midnight Blizzard's goal as intelligence gathering.

During the campaign, attackers used legitimate addresses to send emails containing a signed Remote Desktop Protocol (RDP) configuration file to gain initial access to the targets' devices. Microsoft said the campaign represents "a novel access vector" for Midnight Blizzard.

Microsoft warned that targets include government agencies, higher education and defense. While it has affected organizations in dozens of countries, Microsoft observed increased activity in the U.K., Europe, Australia and Japan.

"The spear-phishing emails in this campaign were sent to thousands of targets in over 100 organizations and contained a signed Remote Desktop Protocol (RDP) configuration file that connected to an actor-controlled server," Microsoft wrote in the blog post. "In some of the lures, the actor attempted to add credibility to their malicious messages by impersonating Microsoft employees. The threat actor also referenced other cloud providers in the phishing lures."

The social engineering lures were related to AWS and zero trust. Once opened, the malicious RDP files, which Microsoft said are signed with Let's Encrypt certificates, mapped the target device's resources to the attacker-controlled server.

After gaining initial access with the RDP configuration file, Midnight Blizzard actors could then install malware or additional tools such as remote access Trojans to maintain access when the RDP session expired. Midnight Blizzard also used the RDP connection to view files and directories as well as web authentication processes using Windows Hello, passkeys or security keys on targeted systems.

Microsoft said Amazon and the Government Computer Emergency Response Team of Ukraine also observed similar activity. CERT-UA published a separate advisory last week that said the campaign may have been ongoing since August.

To protect against the campaign, Microsoft recommended that organizations require MFA, leverage phishing resistant authentication methods such as FIDO tokens and bolster Microsoft Office 365 configuration.

"Robust user education can help mitigate the threat of social engineering and phishing emails. Companies should have a user education program that highlights how to identify and report suspicious emails," the blog post read.

Microsoft also said that its Defender Antivirus product "detects at least some of the malicious .RDP files as the following signature: Backdoor:Script/HustleCon.A."

It's unclear how many configuration files have been detected, and why others may have escaped detection. "As outlined in the Detections section of the blog, Microsoft products have both active blocking and alerts for this activity," a Microsoft spokesperson told TechTarget Editorial.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.