Microsoft has revealed new details about a stealthy Russia-linked cyber espionage group it calls Void Blizzard, which has spent the last year infiltrating defense, government, and critical infrastructure targets across North America and Europe. The company’s threat intelligence team published a technical deep-dive Tuesday, outlining how this state-sponsored group is quietly looting emails, cloud files, and even Microsoft Teams messages from victims tied to NATO member states and Ukraine.
Working in collaboration with Dutch intelligence agencies, Microsoft confirmed that Void Blizzard is exploiting a growing underground economy of infostealer malware. The group purchases stolen usernames and passwords harvested by commodity malware and uses them in password-spraying and adversary-in-the-middle (AitM) phishing attacks.
From Stolen Passwords to Full Cloud Takeover
In its latest wave of activity, Void Blizzard adopted a more surgical spear-phishing approach. Microsoft observed the hackers spoofing the Microsoft Entra login page using typosquatted domains. One particularly deceptive lure involved a malicious QR-code invitation to a fake European defense summit. Victims scanning the QR code unknowingly handed over credentials through a phishing kit powered by Evilginx, an open-source AitM framework capable of capturing login credentials, cookies, and session tokens.
According to Microsoft, the group’s modus operandi is alarmingly efficient: once they obtain valid credentials, they log into cloud services like Exchange Online and SharePoint, then automate bulk downloads of any emails and files the compromised account can access. This includes files from shared mailboxes or folders with delegated access permissions.
In some confirmed intrusions, Void Blizzard also accessed Microsoft Teams chats and messages using the Teams web client, deepening the group’s surveillance reach within targeted organizations.
Strategic Intelligence Collection with Military Implications
Microsoft believes the hackers are targeting specific organizations to gather wartime intelligence for Russian military or diplomatic planning. One case cited in the report involved a Ukrainian aviation agency, where Void Blizzard operated alongside other Russian APTs, highlighting a clear focus on aerospace and air-traffic control networks.
Once inside a network, the group uses legitimate Microsoft APIs, such as Graph API, to enumerate mailboxes, explore group memberships, and identify high-value data. Microsoft also flagged the use of AzureHound, a reconnaissance tool that maps Microsoft Entra ID configurations—including user roles, groups, and applications—to assist in privilege escalation or lateral movement.
Since mid-2024, Microsoft says Void Blizzard has successfully compromised organizations in the telecom, defense, healthcare, IT services, and digital infrastructure sectors. The group’s prolific activity across multiple industries poses a growing threat to NATO member states and Ukraine’s allies.
Redmond characterized the threat as an “ongoing cluster of global cloud abuse,” signaling a broader trend in state-sponsored espionage shifting to the cloud. Once compromised, these accounts often remain undetected as the attackers blend in using legitimate tools and permissions.
Microsoft’s disclosure adds yet another chapter to the rising concern over state-backed cloud espionage, where adversaries don’t break in—they log in.
