August 16, 2022

The Microsoft Threat Intelligence Center (MSTIC) has disrupted the activities of a Russian-linked threat actor targeting people and organizations in NATO countries.

Identified as SEABORGIUM by Microsoft, by Google as ColdRiver, and by Proofpoint as TA446, the campaign seeks to steal sensitive emails from organizations and individuals of interest to Russia.

Microsoft was able to disrupt SEABORGIUM’s campaigns by disabling accounts used for monitoring, phishing and email collection.

In order to carry out attacks, SEABORGIUM creates online personas via email, social media and LinkedIn accounts that are used in social engineering campaigns. These fake personas are then used to target victims.

Using the fake persona, the attackers build a relationship with the victims, which ultimately leads to the attackers sending a phishing attachment.

According to Microsoft, these malicious attachments are spread via emails with attached PDFs, links to file hosting services, or OneDrive accounts hosting the PDF documents.

After accessing a targeted email account, Microsoft claims that they either steal emails and attachments, or set forwarding rules to receive all new emails sent to the compromised account.

To protect against this type of attack, defenses should disable automatic email forwarding in Microsoft 365, use IOCs to investigate potential compromises, require MFA for all accounts, and require FIDO security keys for greater security.

The sources for this piece include an article in BleepingComputer.