Microsoft Intervenes with SEABORGIUM’s Phishing Campaigns
Industries: Defense, Consulting, Education, Intergovernmental Organizations, Non-Governmental Organizations, Think Tanks | Level: Tactical | Source: Microsoft
The Microsoft Threat Intelligence Center (MSTIC) team investigated phishing operations launched by the Russian threat actor, SEABORGIUM (aka TA446, ColdRiver). The threat group has targeted countries in Baltics, Nordics, and Eastern Europe. Their operations focus on espionage and information gathering rather than financial gain, "Its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft. SEABORGIUM intrusions have also been linked to hack-and-leak campaigns, where stolen and leaked data is used to shape narratives in targeted countries." Microsoft observes the threat actor as a persistent group, relentless in attacks against targeted organizations. Communication and rapport are established through phishing emails, and social media networks such as LinkedIn typically resulting in the distribution of a malicious PDF luring the target into a credential harvesting phishing page run on a phishing framework. Using the compromised credentials, SEABORGIUM has commonly exfiltrated the victim's emails setting up forwarding rules for future data collection. Additionally, the threat actors utilized their new stolen persona to initiate a conversation with other targets of interest. From tracking of SEABORGIUM campaigns, Microsoft was able to shut down accounts leveraged by the group for surveillance, phishing, and email collection.
Anvilogic Use Cases:
- O365 Auto Forward
- O365 Inbox Rules
- O365 New Export Request
- Exchange New Export Request