Your Invitation to the Email-Jacking Summit

In the spring of 2025, dozens of inboxes belonging to NGOs across Europe and the U.S. received what looked like a straightforward invitation: a PDF file from the supposed organizer of the European Defense and Security Summit. Inside, a QR code promised access to event details. What it delivered instead was a one-way ticket to credential theft.

The campaign was orchestrated by Void Blizzard—also known as Laundry Bear—a threat actor aligned with Russian intelligence. Armed with the Evilginx adversary-in-the-middle (AitM) phishing framework, the group mimicked Microsoft Entra login pages to steal credentials from unsuspecting targets. It wasn’t just another spoof. It was a multilayered espionage operation using open-source tools to launch high-impact social engineering against the cloud.

Humanitarian Clouds Under Fire

Void Blizzard’s targets weren’t random. The attack struck over 20 NGOs focused on humanitarian aid, defense alignment, and strategic research. Among them, a Dutch police agency fell victim through a separate pass-the-cookie intrusion, exposing internal contact details.

The operation overlapped with activity from other GRU-linked APTs like Forest Blizzard and Midnight Blizzard—suggesting unified intelligence objectives. The goal? To gather data on military procurement, defense cooperation, and foreign support for Ukraine.

QR: Queue Rip-off

The attack chain started with highly targeted spear-phishing emails. Victims received PDFs with embedded QR codes that redirected them to domains like “micsrosoftonline[.]com,” hosting cloned Microsoft Entra login portals. Built with Evilginx, these pages captured credentials and session cookies.

Once inside, the attackers accessed Exchange and SharePoint Online, harvested inboxes and files, and in some cases, entered Microsoft Teams to collect chat data. They also used AzureHound to map Entra ID environments—enumerating roles, groups, devices, and apps to maximize surveillance and persistence.

Cleaning the Cloud

• Enforce phishing-resistant MFA, such as FIDO2 security keys or certificate-based authentication, especially for cloud accounts.

• Disable legacy authentication protocols (e.g., basic auth for Exchange Online) to reduce exposure to session hijacking.

• Scrutinize QR codes in email attachments—train users not to trust unauthenticated codes, even in official-looking PDFs.

• Implement DNS filtering to detect and block typosquatted domains like micsrosoftonline[.]com.

• Monitor Entra ID environments for enumeration activity using tools like AzureHound; look for role, group, and app mapping attempts.

• Audit cloud activity logs for suspicious access to Exchange, SharePoint, Teams, and Microsoft Graph APIs.

• Alert on impossible travel or anomalous login patterns, especially from cloud-based or QR-initiated sessions.

https://thehackernews.com/2025/05/russian-hackers-breach-20-ngos-using.html?m=1