Microsoft Outlook was targeted more than 10,000 times this summer by a single threat actor believed to be aligned with Russia, a cybersecurity analyst says.
Proofpoint unveiled its latest research on December 5th, announcing that a group it tracks as TA422, aka Forest Blizzard, Pawn Storm, Fancy Bear, and BlueDelta, was seen attempting to break into the same accounts daily.
This appears to be a continuation of an earlier campaign begun by TA422 in March, which was launched against “a variety of organizations in Europe and North America.” The threat group has been linked by US intelligence to its Russian counterpart, the GRU.
The more recent campaign marks a departure from the old in terms of its sheer scale, with Proofpoint saying it “observed a significant deviation from expected volumes of emails sent in campaigns exploiting CVE-2023-23397 – a Microsoft Outlook elevation of privilege vulnerability.”
Proofpoint observed thousands of emails being sent from a single email provider to defense, aerospace, technology, government, and manufacturing targets, with smaller volumes aimed at higher education, construction, and consulting.
“Our researchers initially observed small numbers of emails attempting to exploit this vulnerability,” said Proofpoint. “The first surge in activity caught our attention partly due to all the emails pointing to the same listener server, but mostly due to the volume.”
Describing the campaign as much larger than typical nation-state espionage attacks on its radar, Proofpoint said it “observed over 10,000 repeated attempts to exploit the Microsoft Outlook vulnerability, targeting the same accounts daily during the late summer.”
Proofpoint said it believes TA422 took a spreadshot approach to try to get access to the targeted systems by repeatedly casting its net as widely as possible.
However, the analyst is unsure whether this was “an informed effort to collect target credentials” or why the threat group was retargeting entities in the higher education and manufacturing sectors it had already gone after in the previous campaign earlier this year.
Based upon the available campaign data, Proofpoint says it “suspects that these entities are priority targets and as a result, the threat actor attempted broad, lower-effort campaigns regularly to try and gain access.”
Microsoft has issued a patch and warning to all its users, urging them to update their systems as soon as possible.
Your email address will not be published. Required fields are markedmarked