top of page
  • Writer's pictureNexix Security Labs

Microsoft Issues a Warning Regarding Phishing Attacks by Russia-Linked Hackers

Microsoft said on Monday that it has made efforts to interrupt phishing activities carried out by a "very persistent threat actor" whose goals are closely aligned with Russian state interests.

The espionage-related activity cluster is being tracked by the business under the chemical element-themed pseudonym SEABORGIUM, which it claims overlaps with a hacker group also known as Callisto, COLDRIVER, and TA446.

"SEABORGIUM incursions have also been connected to hack-and-leak activities, in which stolen and released material is used to shape narratives in targeted nations," according to Microsoft's threat hunting teams. Its tactics include persistent phishing and credential theft campaigns, which result in intrusions and data theft.

The adversary group's attacks are known to target the same companies over and over again, allowing them to penetrate the victims' social networks using a combination of impersonation, rapport-building, and phishing.

According to Microsoft, there were "only minor differences" in their social engineering tactics and how they delivered the initial infected URL to their targets.

Defense and intelligence consulting firms, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), think tanks, and higher education institutions in the United States and the United Kingdom, as well as, to a lesser extent, in the Baltics, Nordics, and Eastern Europe, are primary targets.

Former intelligence personnel, Russian affairs specialists, and Russian individuals living abroad are also targets of attention. Since the beginning of 2022, it is anticipated that more than 30 organizations and personal accounts have been targeted by its efforts.


It all begins with a reconnaissance of possible individuals using fictitious personas generated on social media sites such as LinkedIn, followed by contact with them via innocent email missives emanating from newly-registered accounts designed to match the identities of the impersonated persons.

If the target falls prey to the social engineering effort, the threat actor initiates the attack sequence by sending a weaponized message with a booby-trapped PDF document or a link to a file housed on OneDrive included in it.

"SEABORGIUM also leverages OneDrive to store PDF files with a link to the malicious URL," Microsoft stated. The actors add a OneDrive link in the email's body, which, when clicked, links the user to a PDF file housed within a SEABORGIUM-controlled OneDrive account.

Furthermore, the adversary has been discovered to conceal its operational architecture by using seemingly innocent open redirects to route visitors to the malicious server, which then requests that they submit their credentials to see the material.

The last stage of an attack involves using stolen credentials to get access to the victim's email accounts; using illegal logins to exfiltrate emails and attachments; setting up email forwarding rules to assure continuous data gathering, and other follow-up operations.

For more information visit us on:

To schedule an audit you can contact us at:

Your Security | Our Concern



bottom of page