Void Blizzard hackers raid NATO cloud tenants with Evilginx phishing

Happy new threat actor day!

Microsoft just outed Void Blizzard (aka Laundry Bear), a Russia-aligned cluster active since at least April 2024 and already carving through cloud mail and files across NATO countries and Ukraine. In their words, “Void Blizzard is a new threat actor Microsoft Threat Intelligence has observed conducting espionage operations primarily targeting organizations that are important to Russian government objectives.” (Microsoft)

who they hit

The crew goes where the Kremlin’s intel wishlist points: government agencies, defense contractors, telecoms, media, NGOs, healthcare, education, transportation, and IT providers, with a soft spot for any org backing Kyiv. Multiple intrusions overlapped earlier GRU units like Forest Blizzard and Midnight Blizzard, showing shared tasking rather than fancy new tradecraft.

how they get in

Void Blizzard’s playbook is low-glamour but relentless:

• Stolen creds & password spray sourced from commodity infostealers feed bulk cloud logins.

• New AitM spear-phish spotted April 2025: “In April 2025, we identified a Void Blizzard adversary-in-the-middle (AitM) spear phishing campaign that targeted over 20 NGO sector organizations in Europe and the United States.”

  • Typosquat domain micsrosoftonline[.]com imitates the Entra auth portal.

  • PDF attachments carry QR codes that bounce victims into an Evilginx proxy to siphon cookies and MFA tokens.

life after shell access

Once an account lands, the actor scripts up cloud APIs (Exchange Online, Graph) to pull entire mailboxes, Teams chats, and SharePoint files. They sometimes map Entra tenants with AzureHound for lateral targeting. Volume, not finesse, is the goal.

why it matters

Void Blizzard proves you don’t need zero-days when mass-market infostealer logs and open-source AitM kits still work against unforced errors like legacy MFA and over-privileged mailboxes. Their success rate against critical infrastructure ups the pressure on defenders who already track a crowded Russian threat landscape.

cut their oxygen

Microsoft’s guidance aligns with hard-won best practice, but it tracks exactly with the intrusion chain here:

• Enforce phishing-resistant MFA (FIDO, passkeys) instead of phone codes.

• Use Conditional Access sign-in risk to auto-block anomalous logins.

• Monitor risky sign-in and non-owner mailbox reports for stolen cookie abuse.

• Rotate any credential touched by infostealer infections, not just the endpoint.

Credential hygiene and resistant auth controls still decide whether Void Blizzard grabs a toehold or bounces off your tenant. Patch the human layer first, then worry about shiny new exploits.