Amazon’s threat intelligence team has recently disrupted a sophisticated watering hole campaign orchestrated by APT29, the infamous Russian state-linked hacking group also known as Midnight Blizzard.
Leveraging compromised websites and exploiting Microsoft’s device code authentication flow, the campaign sought to harvest credentials and expand the group’s global intelligence collection efforts.
Evolving APT29 Attack Playbook
The latest campaign marks a notable evolution in APT29’s tactics.
After being thwarted by Amazon in October 2024, when the hackers impersonated AWS domains to deliver Remote Desktop Protocol (RDP) phishing files, and by Google in June 2025 for launching targeted application-specific password (ASP) phishing against academics and political critics, the group has now shifted to watering hole attacks.
In these scenarios, attackers injected obfuscated JavaScript into legitimate websites, redirecting a targeted portion approximately 10% of visitors to malicious lookalike domains, such as findcloudflare[.]com, which mimicked Cloudflare verification pages.
Technical analysis of the campaign revealed several advanced evasion tricks:
- Only a fraction of traffic was redirected to hinder detection.
- Malicious JavaScript was concealed using base64 encoding.
- Cookies were used to block repeat redirects of the same visitor.
- The hackers quickly pivoted to new infrastructure when existing domains were blacklisted or blocked.
Targeting Microsoft Authentication and Swift Countermeasures
The operation’s ultimate goal was to trick users into completing the Microsoft device code authentication process, letting attackers authorize their own devices on victims’ accounts.
Despite the advanced tradecraft, Amazon’s analytics flagged APT29-controlled infrastructure, leading to the disruption of their campaign.
Amazon moved rapidly to isolate the affected AWS systems, notified partners such as Cloudflare and Microsoft, and helped dismantle the domains and cloud resources used in the attacks.
After being blocked on AWS, APT29 attempted to switch to additional domains, including Cloudflare [.]redirectpartners[.]com, to continue their credential-stealing operations. However, continued monitoring and cross-industry collaboration allowed further containment of the threat.
Safeguarding Organizations and End Users
Amazon urges vigilance against suspicious redirect chains, especially those disguised as security checks.
Both individuals and IT administrators should verify the legitimacy of device authentication requests, enable multi-factor authentication (MFA) across all accounts, and be cautious of prompts to execute unknown commands, especially those appearing in the Windows Run dialog, a tactic linked to the growing “ClickFix” attack technique.
Administrators should follow Microsoft’s recommendations by restricting device authentication flows, enforcing conditional access based on device and location, and monitoring new device authorizations.
Key indicators of compromise from the campaign include the domains findcloudflare[.]com and cloudflare[.]redirectpartners[.]com.
Amazon’s swift, coordinated response is a reminder of the need for continued vigilance and cooperation as threat actors refine their techniques and expand their reach.
Amazon’s threat intelligence team has recently disrupted a sophisticated watering hole campaign orchestrated by APT29, the infamous Russian state-linked hacking group also known as Midnight Blizzard.
Leveraging compromised websites and exploiting Microsoft’s device code authentication flow, the campaign sought to harvest credentials and expand the group’s global intelligence collection efforts.
Evolving APT29 Attack Playbook
The latest campaign marks a notable evolution in APT29’s tactics.
After being thwarted by Amazon in October 2024, when the hackers impersonated AWS domains to deliver Remote Desktop Protocol (RDP) phishing files, and by Google in June 2025 for launching targeted application-specific password (ASP) phishing against academics and political critics, the group has now shifted to watering hole attacks.
In these scenarios, attackers injected obfuscated JavaScript into legitimate websites, redirecting a targeted portion of approximately 10% of visitors to malicious lookalike domains, such as findcloudflare[.]com, which mimicked Cloudflare verification pages.
Technical analysis of the campaign revealed several advanced evasion tricks:
- Only a fraction of traffic was redirected to hinder detection.
- Malicious JavaScript was concealed using base64 encoding.
- Cookies were used to block repeat redirects of the same visitor.
- The hackers quickly pivoted to new infrastructure when existing domains were blacklisted or blocked.
Targeting Microsoft Authentication and Swift Countermeasures
The operation’s ultimate goal was to trick users into completing the Microsoft device code authentication process, letting attackers authorize their own devices on victims’ accounts.
Despite the advanced tradecraft, Amazon’s analytics flagged APT29-controlled infrastructure, leading to the disruption of their campaign.
Amazon moved rapidly to isolate the affected AWS systems, notified partners such as Cloudflare and Microsoft, and helped dismantle the domains and cloud resources used in the attacks.
After being blocked on AWS, APT29 attempted to switch to additional domains, including Cloudflare [.]redirectpartners[.]com, to continue their credential-stealing operations. However, continued monitoring and cross-industry collaboration allowed further containment of the threat.
Safeguarding Organizations and End Users
Amazon urges vigilance against suspicious redirect chains, especially those disguised as security checks.
Both individuals and IT administrators should verify the legitimacy of device authentication requests, enable multi-factor authentication (MFA) across all accounts, and be cautious of prompts to execute unknown commands, especially those appearing in the Windows Run dialog, a tactic linked to the growing “ClickFix” attack technique.
Administrators should follow Microsoft’s recommendations by restricting device authentication flows, enforcing conditional access based on device and location, and monitoring new device authorizations.
Key indicators of compromise from the campaign include the domains findcloudflare[.]com and cloudflare[.]redirectpartners[.]com.
Amazon’s swift, coordinated response is a reminder of the need for continued vigilance and cooperation as threat actors refine their techniques and expand their reach.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
