Microsoft Threat Intelligence has issued an alert following the detection of a sophisticated spear-phishing campaign orchestrated by the Russian threat actor known as Midnight Blizzard.
Active since 22 October this year, this operation has distributed spear-phishing emails aimed at government agencies, academia, defense organizations, NGOs, and other critical sectors worldwide.
“Based on our investigation of previous Midnight Blizzard spear-phishing campaigns, we assess that the goal of this operation is likely intelligence collection,” Microsoft said. It added that the blog it released aims to provide context on these external spear-phishing attempts, which are standard attack techniques and do not represent any new compromise of Microsoft.
This latest campaign by Midnight Blizzard features an innovative tactic: the use of signed Remote Desktop Protocol (RDP) configuration files to connect victims’ systems to an attacker-controlled server.
These malicious RDP files are embedded within emails crafted to appear credible by impersonating Microsoft employees and referencing reputable cloud providers. Once opened, the RDP files establish connections that allow attackers to gather sensitive information and potentially install malware on target devices.
According to Microsoft, Midnight Blizzard is consistent and persistent in its operational targeting, and its objectives seldom change. It uses a wide range of initial access methods, including spear phishing, stolen credentials, supply chain attacks, compromise of on-premises environments to move to the cloud laterally, and leveraging service providers’ trust chain to access downstream customers.
“Midnight Blizzard is known to use the Active Directory Federation Service (AD FS) malware known as FOGGYWEB and MAGICWEB. Midnight Blizzard is identified by peer security vendors as APT29, UNC2452, and Cozy Bear,” the company added.
Preventative Measures
Balazs Greksza, Threat Response Lead at Ontinue, commented on the threat’s distinctiveness, noting that: “The thematic is about Security/Device/AWS/Zero Trust configurations, however, this may change relatively rapidly.” Greksza recommended blocking “.rdp” file extensions in email gateways and limiting the execution of such files to mitigate the risk of attack. He also advised that network firewalls should disable inbound and outbound RDP connections as a preventive measure.
The Midnight Blizzard campaign has primarily targeted organizations in the UK, Europe, Australia, and Japan, mirroring the group’s historical focus on diplomatic and governmental entities in these regions. Microsoft has directly notified affected users and supplied guidance on mitigating further exposure.
Exploiting Public Interest
According to Stephen Kowski, Field CTO at SlashNext, the timing of the attack, just ahead of primary elections, reveals its intent to exploit critical infrastructure vulnerabilities and public interest. “These attacks will likely intensify as we approach Election Day,” Kowski noted. He emphasized that entities need advanced phishing protection to detect and block these spear-phishing messages in real time, highlighting the importance of AI-driven detection to handle sophisticated email threats and prevent unauthorized access.
The Midnight Blizzard campaign’s innovative use of signed RDP files has raised the alarm due to the potential for compromised systems to map a range of local resources—such as files, network drives, and authentication features—to the attacker-controlled server. As Microsoft explains, such access would allow the actor to deploy malware across systems seamlessly, enabling persistent access.
Stringent Controls Needed
Field CTO at ColorTokens, Venky Raju, also pointed to the critical need for stringent controls over Microsoft’s RDP function and said that Microsoft’s advice on using the host firewall to restrict outbound RDP access is spot on and must be urgently heeded. Raju stressed that Group Policy Objects (GPO) policies or micro-segmentation could help limit RDP functionality to essential tasks.
“This attack once again highlights that phishing continues to be the most dangerous threat to your organization,” said Patrick Harr, CEO at SlashNext, reiterating the persistent risks phishing poses. Harr advocates for advanced AI protections and user training and advises organizations to employ “AI detection and phishing sandboxes for malicious links and files directly in their email, collaboration, and messaging apps.”
Microsoft’s recommendations for countering the Midnight Blizzard campaign include strengthening firewalls, using multifactor authentication (MFA), adopting phishing-resistant authentication methods, and ensuring robust email security configurations. By implementing these strategies, organizations can reduce their risk of compromise by Midnight Blizzard’s spear-phishing tactics.
Microsoft will provide updates to inform and assist affected sectors as the situation develops.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
