Midnight Blizzard watering-hole campaign targeting Microsoft 365 device-code authorization
Campaign
Summary
Hide ▲
Show ▼
Midnight Blizzard / APT29 had a watering-hole campaign disrupted after it redirected selected targets to malicious infrastructure built to abuse Microsoft’s device code authentication flow. The operation aimed at Microsoft 365 accounts and data, creating a direct credential and access risk for the targeted users. The group used compromised legitimate websites and selective redirection to reduce detection and increase the odds of successful authorization theft. The disruption cuts off an active access attempt against a Russian state-linked espionage operation.
Related Happenings
UNC6692 email bombing and Microsoft Teams impersonation campaign
Campaign
First: 25.04.2026 18:07
Last: 25.04.2026 18:07
Sources 1
About this happening:
UNC6692 is running a **social-engineering campaign** that uses **email bombing** and **Microsoft Teams impersonation** to push targets toward remote access and initial compromise....
UNC6692 email bombing and Microsoft Teams impersonation campaign
CampaignAbout this happening: UNC6692 is running a **social-engineering campaign** that uses **email bombing** and **Microsoft Teams impersonation** to push targets toward remote access and initial compromise....
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
Campaign
First: 13.04.2026 21:55
Last: 13.04.2026 21:55
Sources 1
About this happening:
The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
CampaignAbout this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
UNC6783 BPO compromise campaign targeting downstream companies
Campaign
First: 09.04.2026 00:46
Last: 09.04.2026 00:46
Sources 1
About this happening:
**UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
UNC6783 BPO compromise campaign targeting downstream companies
CampaignAbout this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor Meta
First: 05.03.2026 08:51
Last: 05.03.2026 08:51
Sources 1
About this happening:
**Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Latest development: 17.05.2026 17:43
eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.
Europol-coordinated Tycoon2FA takedown
Law Enforcement
First: 04.03.2026 19:01
Last: 04.03.2026 19:01
Sources 1
About this happening:
**Europol** coordinated a law-enforcement operation that **seized 330 domains** tied to **Tycoon2FA**, disrupting a **phishing-as-a-service** platform used for **credential theft*...
Europol-coordinated Tycoon2FA takedown
Law EnforcementAbout this happening: **Europol** coordinated a law-enforcement operation that **seized 330 domains** tied to **Tycoon2FA**, disrupting a **phishing-as-a-service** platform used for **credential theft*...
Latest development: 23.03.2026 23:52
CrowdStrike observed Tycoon2FA return to pre-disruption activity levels within days after the March 4, 2026 Europol-led takedown, with daily campaign volumes on March 4 and March 5, 2026 falling to 25% of pre-disruption levels before rebounding to early 2026 levels. The phishing-as-a-service platform continued using largely unchanged TTPs against Microsoft 365 and Gmail accounts and remained active in malicious email campaigns, BEC, email thread hijacking, cloud account takeovers, and malicious SharePoint links.
Timeline
-
01.09.2025 18:35 2 articles · 8mo ago
Amazon disrupts Midnight Blizzard watering-hole campaign against Microsoft 365
Initial DisclosureAmazon disrupted a Russian state-sponsored Midnight Blizzard (APT29) watering-hole campaign aimed at Microsoft 365 accounts and data. The operation compromised legitimate websites, used base64-obfuscated malicious code and cookies-based redirection logic, and sent roughly 10% of visitors to fake Cloudflare verification pages that led into a malicious Microsoft device code authentication flow intended to trick users into authorizing attacker-controlled devices.
Show sources
- Amazon disrupts Russian APT29 hackers targeting Microsoft 365 — www.bleepingcomputer.com — 01.09.2025 18:35
- Amazon disrupts Russian APT29 hackers targeting Microsoft 365 — www.bleepingcomputer.com — 01.09.2025 18:35