Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Account Takeover Threats. Show all posts
social engineering attacks
Account Takeover Threats Cyber Attacks Cyber Threats End To End Encryption Risks Government Targeted Attacks Messaging App Security Signal Phishing social engineering attacks

Signal Phishing Campaign Attributed to Russian Intelligence FBI Says


 

As part of a pair of advisory reports issued Friday, federal authorities outlined a pattern of foreign cyber activity that is increasingly exploiting the trust users place in everyday communication tools as a means of infiltration. 

According to the FBI, as well as the Cybersecurity and Infrastructure Security Agency, Russian and Iranian intelligence-linked actors are utilizing widely-used messaging platforms for the purpose of infiltrating sensitive networks, particularly Signal. 

It is not merely opportunistic, but is also carefully planned, with a focus on individuals who are in a position to influence government, defense, media, and public affairs. These operations typically imitate routine system notifications and support alerts to trick victims into providing access credentials under the guise of urgent account actions resulting in the unauthorized accessing of thousands of accounts. 

As a result, social engineering tactics are being increasingly employed, which rely less on technical exploits and more on eroding trust among users in otherwise secure environments online. On the basis of these findings, the FBI has issued a public service announcement explicitly identifying Russian intelligence services as the source of ongoing phishing activity, which is an unusual step, as it departs from earlier advisories that generally refer to state-sponsored threats in a broader sense. These operations are designed in a manner to circumvent the security assurances offered by end-to-end encrypted commercial messaging applications, rather than by compromising cryptographic integrity, but by systematically hijacking user accounts. 

Attackers are able to acquire persistent access without defeating the underlying encryption protocols by exploiting authentication workflows and manipulating users into divulging verification codes or account credentials. 

Although the tradecraft can be used across a wide range of messaging platforms, investigators note that Signal is a prominent target due to the combination of perceived security and high-value users. When a threat actor enters an account, they will have access to private communications, contact networks, impersonation of trusted identities, and the propagation of further phishing campaigns. 

Based on the FBI's estimate that thousands of accounts have already been impacted, the scope of the activity underscores a deliberate focus on individuals with access to sensitive or influential information. Each successful compromise increases both the intelligence value and downstream operational risk. 

During his presentation to the FBI, Director Kash Patel explained that the operation targeted individuals of high intelligence value. This campaign has already been confirmed to have affected thousands of accounts worldwide, including current and former government officials, military personnel, political actors, and media members. 

It is important to emphasize that the intrusion set does not exploit flaws in the encryption architecture of commercial messaging platforms but instead uses sophisticated phishing techniques to compromise user authentication.

The method typically involves the delivery of convincingly crafted alerts warning of suspicious login activity or unauthorized access attempts to recipients, which prompt them to act immediately by following embedded links, scanning QR codes, or disclosing credentials for one-time verification. Once a threat actor has gained access to the victim's email account, they are in a position to harvest the contents of the message as well as the contact information. 

Once the victims' identity has been assumed, the threat actor can engage in further communication with the victim through secondary phishing attempts. Despite the fact that U.S. agencies have not formally attributed the activity to a particular operational unit, parallel threat intelligence reports from industry sources linked similar tactics to multiple Russian-aligned clusters, including UNC5792, UNC4221, and Star Blizzard. 

It is not confined to a single region of the world; European cybersecurity agencies, including France's Cyber Crisis Coordination Centre, as well as German and Dutch cybersecurity agencies, have reported a corresponding increase in attacks against government, media, and corporate leadership messaging accounts. There are a number of incidents that share a common operational objective: exploiting trust channels for the collection of intelligence and for the further compromise of compromised systems. 

Adversaries can exploit established trust relationships by masquerading as legitimate support entities—particularly "Signal Support" by manipulating established trust relationships, making secure messaging ecosystems a conduit for intrusion rather than a barrier against it when they masquerade as legitimate support entities. 

In order for the campaign to be consistent, it primarily utilizes user manipulation rather than technical exploitation, and Signal is its primary target, although similar tactics are also employed across other messaging platforms, including WhatsApp. Often, threat actors impersonate official support channels to distribute highly targeted phishing messages that compel recipients to take immediate actions either by clicking embedded links, scanning QR codes, or disclosing verification credentials and PINs. 

By complying with these prompts, attackers may either register their own devices as trusted endpoints through legitimate "linked device" functionality or carry out an account takeover as a whole. In a joint advisory from U.S. authorities, it is explained that such actions effectively permit unauthorized access without triggering conventional security safeguards, and that malware distribution may be included as a secondary means to compromise systems. 

The present study emphasizes the enduring effectiveness of phishing as a vector that may bypass even robust protections such as end-to-end encryption by focusing directly on user behavior. Once access has been established, adversaries may be able to retrieve message histories, map contact networks, and exploit established trust relationships in order to expand their reach through secondary phishing attacks. 

It has been reported that international intelligence agencies, including counterparts in France and the Netherlands, have issued parallel warnings regarding coordinated efforts to target officials, civil servants, and military personnel, reflecting the broader strategic intent to intercept sensitive communications. 

In addition, the agencies have stressed that the activity does not originate from inherent vulnerabilities within the platforms themselves, but rather from systematic abuse of legitimate authentication workflows and features. It is therefore necessary that users remain vigilant and avoid disclosing one-time codes, scrutinize unsolicited messages-even those that appear to originate from known contacts-and only use official channels when dealing with account issues.

Furthermore, officials caution against the use of commercial messaging applications for exchanging classified or sensitive information in high-risk environments, underscoring the tensions between operational security and convenience in modern communication systems. The persistence and adaptability of the campaign illustrates the importance of reinforcing both user-side defenses and platform-level controls for mitigation. 

As a result, organizations are advised to enforce rigorous identity verification practices, enforcing multifactor authentication hygiene, and restricting high-value personnel's exposure through publicly accessible communications channels. Continuous awareness training is equally important for preparing users to recognize subtle indicators of social engineering, especially in environments that simulate urgency and authority on a regular basis. 

A rapid report and coordinated response coordination remain essential to containing the possibility of lateral spread once an account has been compromised at an operational level. Accordingly, the broader implication is clear: as adversaries refine techniques that exploit trust and not technology, resilience will increasingly depend not solely on encryption's strength, but on the diligence and preparedness of those who use it.
Read more »
Russia Linked Hackers
Account Takeover Threats Cyber Attacks Device Code Phishing Entra ID Security Microsoft 365 Security Nation State Cyber Attacks OAuth Authentication Abuse Russia Linked Hackers

Microsoft 365 Users Targeted by Russia-Linked Device Code Phishing Operations


The global network infrastructure is experiencing a wave of sophisticated cyber intrusions as states-sponsored and financially motivated hackers are increasingly exploiting a legitimate Microsoft authentication mechanism to seize control of enterprise accounts in a broad range of sectors. 

There has been a recent investigation which uncovered attackers with ties to both Russian and Chinese interests have been exploiting Microsoft's OAuth 2.0 device authorization grant flow in an effort to deceive users into unknowingly granting them access to their Microsoft 365 environments through this feature designed to simplify secure logins. 

Through the use of fraudulently masquerading institutions and convincing targets to authenticate using authentic Microsoft services, attackers are able to obtain valid access tokens that enable persistent account compromises without requiring the compromise of the target's password. The Russian-linked threat actor Storm-2372 has been targeting government bodies and private organizations since August 2024 and has been one of the most active groups in this regard. 

In order to get the highest level of effectiveness from the device code phishing tactics, it has been proven to be more effective than conventional spear-phishing tactics. It has been conducted throughout Africa, Europe, the Middle East, and North America. Government, defence, healthcare, telecommunications, education, energy, and non-government organizations have been included in the campaign. 

It has been determined that the scale, targeting patterns, and operational discipline of the activity strongly point towards a coordinated nation-state effort aligned with Russian strategic objectives, as confirmed by Microsoft's Threat Intelligence Center. 

The campaign is now more clearly connected to an organization believed to be aligned with the Russian government. It has been a sustained phishing operation that leveraged Microsoft's device code authentication workflow to compromise Microsoft 365 accounts by using a sustained phishing operation. Under the designation UNK_AcademicFlare, Proofpoint has tracked this activity since September 2025 under the designation UNK_AcademicFlare. 

Investigators believe the attackers used email accounts that had previously been compromised from government and military organizations so that they could lend legitimacy to their outreach efforts. In both the United States and Europe, the messages were targeted at individuals and organizations within government agencies, policy think tanks, higher education institutions, and transportation-related organizations. 

There are deliberate steps involved in the approach. It begins with seemingly innocuous correspondence tailored to the recipient’s professional background, usually framed as preparations for an interview or collaboration. In order for victims to be informed, the sender will offer a document purported to outline discussion topics. The document will be hosted at a link that appears to be a Microsoft OneDrive account impersonating the sender.

There is a link within the email that actually redirects users to a Cloudflare Worker, which redirects the user to Microsoft's legitimate account lock page, during which the user enters the provided authentication code, which unwittingly authorizes access and generates a valid token that enables full account hijacking. 

Researchers in the field of cybersecurity note that this technique has gained traction, having been extensively documented earlier this year by Microsoft and Volexity and linked to clusters that are associated with Russia, such as Storm-2372 and APT29. 

Recent warnings from Amazon Threat Intelligence and Volexity have shown that it is still being used by Russian attackers. According to the latest technical details published by Microsoft and independent researchers, there have been several mechanisms behind the campaign that can shed light on the mechanisms that operate behind it. 

A Microsoft disclosure dated February 14, 2025 confirmed that Storm-2372 had begun authenticating through a specific Microsoft Authentication Broker client ID while using the device code sign-in method, which in turn allowed attackers to get refresh access tokens with the new Authentication Broker client ID. 

A device registration token can be exchanged into credentials linked to the device registration service after it has been acquired by an adversary, which makes it possible for that adversary to enroll attacker-controlled systems into Microsoft Entra ID and maintain persistent access for massive email harvesting operations. 

As a result of investigations, high-profile institutions such as the United States Department of State, the Ukrainian Ministry of Defense, the European Parliament, and prominent research organizations have been impersonated in the activities. Researchers have concluded that APT29, a group of malicious actors also known as Cozy Bear, Midnight Blizzard, Cloaked Ursa, and The Dukes, may be the cluster that is driving this activity. 

According to Volexity's case studies, operators are exploiting real-time communication channels as a means of accelerating victim compliance through real-time communication channels. In one incident, UTA0304 contacted a victim via Signal before moving the conversation to Element, and ultimately directed the target to a legitimate Microsoft page asking for an account code, pretending to be a secure chat service provider. 

A malicious attacker might use immediacy and context to convince the victims to act quickly, a tactic similar to those employed by marketing groups to promote Microsoft Teams meetings held by groups related to the phishing attack. 

A response from Microsoft has been to disable the device code flow whenever possible, restrict Entra ID access to trusted networks and devices via Conditional Access, and actively monitor sign-in logs for anomaly activity related to device code, including rapid authentication attempts and logins that originate from unknown locations, in order to prevent this from happening.

It is highly likely that organisations will have to implement layered technical controls in order to reduce exposure to this evolving threat in light of the fact that employee awareness alone cannot counter this evolving threat. In its recommendation to enterprises, Proofpoint recommends explicitly limiting the use of device code authentication. This can be described as the most effective way to prevent misuse of the OAuth device flow by enterprises. 

The adoption of such control systems begins with auditing or report-only deployments, which allows security teams to evaluate potential operational impacts by analyzing historical sign-in data before implementing them in their entirety. 

Providing a more granular, allow-list-based approach where a complete block is not feasible, researchers recommend that device code authentication be limited to narrowly defined and approved scenarios, for example, specific users, operating systems that are trusted, or network locations that are well known.

In addition to these safeguards, additional safeguards can also be implemented by requiring Microsoft 365 sign-ins to originate from compliant or registered devices, particularly in environments that use device registration or Microsoft Intune as authentication methods. Proofpoint warns, however, that misuse of OAuth authentication mechanisms is likely to increase as organizations begin adopting FIDO-compliant multifactor authentication, thus highlighting the need to implement proactive policies and continuous monitoring of these systems. 

Furthermore, researchers have also discovered a broader ecosystem of infrastructure and social engineering techniques that are being used to maintain and expand the campaign, which is ongoing. During the analysis of the phishing URLs, researchers noted that some of them were temporarily inactive. However, the accompanying emails instructed recipients to copy and share the full URL of the browser in case of an error, which is consistent with the tactics used for OAuth device code phishing to extract usable authentication data.

Among the domains involved, ustrs[.]com, seems to have been purchased as a result of a domain auction or resale service. Though the domain was originally registered in early 2020, WHOIS records indicate that it was updated in late 2025, a strategy that has long been used as a way of evading reputation-based security controls that rely heavily on domain age as a signal of trustworthiness.

It was Volexity that observed the same sender approach additional organizations in November 2025, promoting a conference registration link on brussels-indo-pacific-forum[.]org, which has been created to mimic the Brussels Indo-Pacific Dialogue, in an attempt to fool the target audience.

As soon as the victims attempted to sign up for the site, they were presented with a Microsoft 365 authentication process disguised as a legitimate signup process, which then sent them to a benign confirmation page. According to research conducted in connection with Belgrade Security Conference earlier campaigns, subsequent access to compromised accounts was routed through proxy network infrastructures to conceal the attackers' origin, as seen in earlier campaigns. 

Further research has demonstrated that by exploiting standard professional courtesies, operators were systematically extending their reach. When targets declined event invitations, multiple times, as tracked as activity associated with UTA0355, they were urged to register for updates, to share contact details with colleagues who might be interested, and to share contact information with other colleagues who may have been interested as well. 

At least one example involved an unwitting intermediary introducing a new target to the threat actor through an unwitting intermediary, which enabled the attackers to gather new leads organically. In addition, domain registration data related to impersonated events revealed other infrastructure that may have been associated with the same cluster, according to WHOIS data for bsc2025[.]org, a domain resembling Belgrade Security Conference, which was registered using the address mailum[.]com, a relatively unknown e-mail service. 

The Volexity investigation was expanded to identify other domains masquerading as the World Nuclear Exhibition scheduled for November 2025, including world-nuclear-exhibition-paris[.]com, wne-2025[.]com, and confirmyourflight-parisaeroport[.]com, that gave the impression that the World Nuclear Exhibition was being held in Paris. In spite of the fact that researchers do not believe their domains were specifically utilized in confirmed attacks, they can assess that they might have assisted the campaign in its early stages. 

Overall, these findings illustrate a shift in how advanced threat actors are increasingly relying on trusted identity frameworks in place of traditional malware and credential theft in order to carry out their attacks. It has been demonstrated that these campaigns reduce the likelihood of detection, increase user compliance, and decrease the likelihood of detection by weaponizing legitimate authentication flows and embedding them within credible professional interactions.

Organisations may have to deal with longer-term risks associated with persistent access in addition to immediate account compromise, data exposure, internal reconnaissance, and follow-up attacks resulting from persistent access. As a result, security teams are urged to revisit assumptions regarding "trusted" login mechanisms, to improve identity governance, and to ensure visibility into events that do not involve interactive interaction and that are based on a device. 

An attack surface can be significantly reduced by taking proactive measures such as tightening OAuth permissions, auditing registered devices and applications, and stress testing Conditional Access policies. Moreover, leadership and security stakeholders need to be aware that modern phishing campaigns are increasingly modeled on legitimate business workflows, and that defense strategies must be complemented by context-aware user education in order to protect themselves. 

A number of low-friction, high-impact attack techniques are being refined by attackers to gain a higher degree of sophistication, which makes it more challenging for organisations that treat this aspect of their operations as a core operational priority to stop intrusions before they become systemic breaches.
Read more »
Subscribe to: Comments (Atom)