Microsoft has issued a critical security alert regarding a surge in global cloud abuse activities orchestrated by the threat actor group known as Void Blizzard, also designated as LAUNDRY BEAR.
Tracked by Microsoft’s Threat Intelligence Center and assessed with high confidence to be Russia-affiliated, Void Blizzard has demonstrated a marked expansion in operations since April 2024.
The group’s activities, while global in reach, have shown a disproportionate focus on NATO member states and Ukraine, with persistent targeting of sectors vital to national infrastructure most notably communications, telecommunications, government, transportation, media, non-governmental organizations, healthcare, and IT.
Persistent Credential Theft Underscore Threat
Void Blizzard’s tactics have evolved considerably in recent months, as observed in a major spear phishing campaign in April 2025.
The campaign targeted over 20 non-governmental organizations across Europe and the U.S., leveraging typosquatted domains to spoof the Microsoft Entra authentication portal and lure victims with invitations to high-profile events.
The phishing emails included PDF attachments containing malicious QR codes, which, when scanned, redirected users to authentic-looking credential harvesting pages hosted on the attackers’ infrastructure.
Microsoft’s analysis indicates that the group utilized the open-source Evilginx adversary-in-the-middle (AitM) phishing kit to intercept authentication credentials and session cookies, allowing attackers to bypass multi-factor authentication and gain persistent access to targeted networks.
Void Blizzard’s initial access techniques remain largely unsophisticated, relying heavily on password-spraying and the use of credentials procured through criminal infostealer ecosystems.
More recently, the group has supplemented these methods with increasingly targeted spear phishing, reflecting an adaptation in their operational approach that raises the risk for organizations in high-value sectors.
Escalating Post-Compromise Cloud Exploitation
Once inside a target environment, Void Blizzard rapidly exploits legitimate cloud services especially Microsoft Exchange Online and Microsoft Graph APIs to enumerate user mailboxes and cloud-hosted files.
Microsoft’s investigation revealed that the hackers frequently automate bulk data exfiltration, focusing on emails, files, and other documents that compromised accounts can access.
In several incidents, Void Blizzard also accessed Microsoft Teams conversations and conducted enumeration of the target’s Entra ID configuration using publicly available tools like AzureHound, mapping internal structures to facilitate deeper infiltration and intelligence gathering.
The group’s interest in aviation and air traffic control organizations has been consistent, with multiple incidents involving password spray attacks on NATO member states’ aviation agencies following similar campaigns by other Russian state-linked actors.
This pattern of targeting reflects enduring intelligence collection priorities aligned with Russia’s strategic objectives, particularly in the context of ongoing military and humanitarian support to Ukraine.
Microsoft extended its gratitude to the Netherlands’ AIVD and MIVD agencies and the US Federal Bureau of Investigation, whose collaboration has been instrumental in uncovering Void Blizzard’s infrastructure and raising awareness across the cyber defense community.
The company’s report urges organizations, especially those in the telecommunications and IT sectors, to review their credential protection controls, strengthen cloud access policies, and remain vigilant against both commodity infostealer activity and increasingly sophisticated phishing campaigns.
Despite a lack of novelty in Void Blizzard’s attack methods, Microsoft warns that the persistent use of even basic tactics when executed at scale by a determined adversary can result in widespread compromise and intelligence loss.
The enduring risk posed by Void Blizzard highlights the necessity for continuous vigilance, cross-sector collaboration, and rapid implementation of advanced security measures to disrupt and defend against nation-state cyber threats.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
