LinkedMa Logo
Site is Under Maintenance
Please come back again in...
00 Days
00 Hours
00 Minutes
00 Seconds

Microsoft Warns About Phishing Attacks by Russia-linked Hackers

Please wait 0 seconds...
Scroll Down and click on Go to Link
Congrats! Link is Generated
Russia-linked Hackers

Microsoft on Monday revealed it took steps to disrupt phishing operations undertaken by a “highly persistent threat actor” whose objectives align closely with Russian state interests.

The company is tracking the espionage-oriented activity cluster under its chemical element-themed moniker SEABORGIUM, which it said overlaps with a hacking group also known as Callisto, COLDRIVER, and TA446.

“SEABORGIUM intrusions have also been linked to hack-and-leak campaigns, where stolen and leaked data is used to shape narratives in targeted countries,” Microsoft’s threat hunting teams said. “Its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft.”


Attacks launched by the adversarial collective are known to target the same organizations using consistent methodologies applied over long periods of time, enabling it to infiltrate the victims’ social networks through a combination of impersonation, rapport building, and phishing.

Microsoft said it observed “only slight deviations in their social engineering approaches and in how they deliver the initial malicious URL to their targets.”

Phishing Attacks

Primary targets include defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education entities located in the U.S. and the U.K., and to a lesser extent in the Baltics, the Nordics, and the Eastern Europe.

Additional targets of interest consist of former intelligence officials, experts in Russian affairs, and Russian citizens abroad. More than 30 organizations and personal accounts are estimated to have been at the receiving end of its campaigns since the start of 2022.

Phishing Attacks

It all starts with a reconnaissance of potential individuals by leveraging fake personas created on social media platforms like LinkedIn, before establishing contact with them via benign email missives originating from newly-registered accounts configured to match the names of the impersonated individuals.

In the event the target falls victim to the social engineering attempt, the threat actor activates the attack sequence by sending a weaponized message embedding a booby-trapped PDF document or a link to a file hosted on OneDrive.

“SEABORGIUM also abuses OneDrive to host PDF files that contain a link to the malicious URL,” Microsoft said. “The actors include a OneDrive link in the body of the email that when clicked directs the user to a PDF file hosted within a SEABORGIUM-controlled OneDrive account.”


Furthermore, the adversary has been found to disguise its operational infrastructure by resorting to seemingly harmless open redirects to send users to the malicious server, which, in turn, prompts users to enter their credentials to view the content.

The last phase of attacks entails abusing the stolen credentials to access the victim’s email accounts, taking advantage of the unauthorized logins to exfiltrate emails and attachments, set up email forwarding rules to ensure sustained data collection and other follow-on activities.

“There have been several cases where SEABORGIUM has been observed using their impersonation accounts to facilitate dialog with specific people of interest and, as a result, were included in conversations, sometimes unwittingly, involving multiple parties,” Redmond pointed out.

Enterprise security company Proofpoint, which tracks the actor under the name TA446, pointed out the group’s inclination towards reconnaissance and sophisticated impersonation for delivery of fraudulent links.

“TA446 creates a game of whack-a-mole whether takedowns are occurring or not,” Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, told The Hacker News. “The threat actor rapidly registers and changes which personas and aliases they are mimicking in the consumer email addresses and infrastructure they create.”

“TA446 is a threat actor that performs reconnaissance on the intended recipients and creates consumer email accounts based off of people the recipients are likely to know or work in the same profession,” DeGrippo added.

Post a Comment

Read also:
Flash Sale! Do Shopify customization or bug fixing. Get It Now
Cookie Consent
We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.
It seems there is something wrong with your internet connection. Please connect to the internet and start browsing again.
AdBlock Detected!
We have detected that you are using AdBlock Extension in your browser.
The revenue we earn by the advertisements is used to manage this website, we request you to whitelist our website in your AdBlock Settings.
Site is Blocked
Sorry! This site is not available in your country.