TL;DR

Key Points

• Block the top entry vectors by tightening OAuth “device code” flows and stripping risky legacy auth; this cuts credential theft and cloud takeovers.

• Enforce phishing-resistant MFA (FIDO2/WebAuthn) to stop token theft at the gate; legacy MFA is not enough.

• Hunt for malicious RDP file delivery and sudden cloud app consent spikes; these are reliable early tells.

• Automate intel sharing and takedown playbooks with your vendors; faster disruption forces the adversary to burn time.

• Plan for rapid actor adaptation with policy guardrails (tenant restrictions, consent governance) so pivots don’t become new gaps.

Jargon quick-defs: OAuth = token-based delegated access standard; MFA = multi-factor authentication; TTPs = tactics, techniques, and procedures.

The story in 60 seconds

From 2023–2025, APT29 (Midnight Blizzard), APT28 (Fancy Bear), and Sandworm pressed cloud identity weaknesses and classic social engineering. Two anchor events: an Oct 2024 spear-phish wave delivering weaponized .rdp files, and an Aug 2025 watering-hole using OAuth device code prompts to snatch tokens and move laterally.

What was different this time was defense. Cloud, social, and infrastructure providers aligned on data sharing and takedowns, compressing the attackers’ dwell time. That forced rapid infrastructure rotation and cost.

Sectors hit: government, cloud platforms, and critical infrastructure. Techniques mapped cleanly to MITRE ATT&CK: T1528 (OAuth abuse), T1566.002 (spear-phishing), T1021.001 (RDP), T1190 (web injection), T1486 (ransomware/wipers), T1583.001 (infra acquisition).

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe! • Forward to your on-call lead.

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

See it in your telemetry

Network

• Outbound to unusual OAuth/identity endpoints or newly registered cloud apps; anomalous device code grant flows.
• TLS to short-lived domains linked from watering-holes; sudden DNS churn tied to consent URIs.
• RDP traffic spikes from non-management subnets.

Endpoint

• New or modified “Remote Desktop” connection files and MSTSC invocations with embedded creds/addresses.
• Browser token store access, abnormal OAuth refresh activity, and new device identities enrolling outside business hours.
• Suspicious PowerShell/Office child-process chains post-phish.

Mail/IdP/SaaS

• Delivery of .rdp attachments/links; lure themes tied to IT help or SSO resets.
• “Consent to application,” “Service principal created,” “Enterprise app added,” scope elevations, or mass token issuance.
• Admin approval requests originating from atypical geo/ASN.

High Impact, Quick Wins

• Lock down device code flows (today): Require managed/compliant device and step-up MFA for sensitive scopes; disable for high-risk users. Sell it: Stops no-prompt token theft. Measure it: Reduction in device code grants from unmanaged endpoints and geo-anomalies.

• Move to phishing-resistant MFA (this quarter): FIDO2/WebAuthn for all admins and Tier-0 apps; phase to all users. Sell it: Cuts token replay and push fatigue. Measure it: % users on FIDO2; drop in MFA push prompts.

• Govern consent and app registration (this sprint): Admin-only consent, verified publishers, and tenant restrictions. Sell it: Removes one-click data exfil paths. Measure it: Zero unreviewed enterprise apps; time-to-revoke token ≤15 minutes.

AlphaHunt

Ready to level up your intelligence game?

Sign Up!

Breaches

(Breach Date 2025-08) – Amazon, Microsoft, and Cloudflare Disrupt APT29 (Midnight Blizzard) Watering Hole Campaign

Description:
In August 2025, Amazon, Microsoft, and Cloudflare collaborated to disrupt a Russian state-sponsored campaign by APT29 (Midnight Blizzard/Cozy Bear). Attackers compromised legitimate websites, injecting JavaScript to redirect a subset of visitors to attacker-controlled domains mimicking Cloudflare and Microsoft authentication pages. The goal was to trick users into authorizing attacker-controlled devices via Microsoft’s device code authentication flow, granting access to Microsoft 365 accounts and sensitive data. Amazon’s threat intelligence team identified the infrastructure, isolated malicious EC2 instances, and, in partnership with Microsoft and Cloudflare, seized domains and blocked traffic. The campaign demonstrated APT29’s evolving tradecraft, including rapid infrastructure migration and advanced evasion techniques.

Technical Analysis:

• Attack vector(s): Watering hole attacks, JavaScript injection, device code phishing, OAuth abuse.
• Mitigation techniques: Domain seizure, infrastructure isolation, cross-provider intelligence sharing, user notification, authentication hardening.
• Inter-provider protocols: Real-time intelligence sharing, joint infrastructure takedown, coordinated public advisories.
• Impact: The disruption immediately halted credential theft, forced APT29 to rapidly migrate infrastructure, and exposed their evolving TTPs. The campaign’s exposure led to increased vigilance and improved detection rules across the ecosystem.
• Lessons learned: Persistent, cross-provider response is essential; adversaries adapt quickly, requiring ongoing monitoring and collaboration.

Actionable Takeaways:

1. Implement strict OAuth and device code authentication policies; monitor for anomalous device authorizations.
2. Establish and maintain cross-provider threat intelligence sharing protocols for rapid response.
3. Educate users on verifying authentication prompts and recognizing social engineering tactics.
4. Harden cloud and web infrastructure against JavaScript injection and domain abuse.

Impact:
After the takedown, APT29 attempted to migrate to new infrastructure, but the rapid, coordinated response forced them to expend additional resources and delayed further credential theft. The exposure of their TTPs led to improved detection and prevention across the cloud ecosystem.

2. (Breach Date 2024-10) – Microsoft, Amazon, and CERT-UA Disrupt Midnight Blizzard (APT29) RDP Spear-Phishing Campaign

Description:
In October 2024, Microsoft, Amazon, and Ukraine’s CERT-UA identified and disrupted a spear-phishing campaign by APT29 targeting government, defense, and NGO sectors globally. The campaign used highly targeted emails with malicious, signed RDP configuration files, which, when opened, connected victims’ devices to attacker-controlled servers, exposing credentials and enabling malware installation. The campaign leveraged compromised email infrastructure and referenced multiple cloud providers in phishing lures. Microsoft and Amazon shared indicators of compromise, detection rules, and coordinated notifications to affected organizations.

Technical Analysis:

• Attack vector(s): Spear-phishing with malicious RDP files, credential harvesting, lateral movement via cloud trust chains.
• Mitigation techniques: Automated detection and blocking of malicious RDP files, endpoint and email security hardening, user education, cross-provider notification.
• Inter-provider protocols: Joint publication of IOCs, hunting queries, public advisories, direct customer notifications.
• Impact: The disruption prevented further credential theft and lateral movement, and the rapid sharing of IOCs improved detection across multiple providers. APT29 shifted to new phishing lures and infrastructure, but the ecosystem’s response time improved.
• Lessons learned: Attackers exploit trust in cloud and email ecosystems; rapid, transparent cross-provider response is critical.

Actionable Takeaways:

1. Block or restrict outbound RDP connections to external networks.
2. Deploy advanced anti-phishing and endpoint detection solutions.
3. Use phishing-resistant MFA and conditional access policies.
4. Share IOCs and detection rules across providers and sectors.

Impact:
The campaign’s exposure led to a measurable reduction in successful spear-phishing attempts and improved detection speed for similar TTPs.

3. (Breach Date 2023-2025) – APT28 (Fancy Bear) Disruption: Meta, Cloudflare, and Partners

Description:
From 2023–2025, Meta (Facebook), Cloudflare, and partners collaborated to disrupt APT28’s credential theft and influence operations targeting Western logistics, technology, and maritime supply chains supporting Ukraine. APT28 used phishing, backdoors (e.g., NotDoor), and domain impersonation to compromise targets. Meta’s quarterly threat reports and Cloudflare’s technical advisories detail the use of automated account and domain takedown, legal action, and public transparency reports. Cloudflare and Meta shared real-time abuse data, coordinated legal filings, and published joint advisories.

Technical Analysis:

• Attack vector(s): Social media phishing, domain impersonation, backdoor malware (e.g., NotDoor), supply chain compromise.
• Mitigation techniques: Automated account and domain takedown, legal action, public transparency reports, technical detection rules (e.g., Sigma rules for NotDoor).
• Inter-provider protocols: Real-time abuse reporting, joint legal filings, automated threat intelligence feeds, public advisories.
• Impact: The disruption reduced the reach of APT28’s campaigns, forced the group to rotate infrastructure more frequently, and improved user protection. The legal and technical frameworks enabled rapid cross-jurisdictional action.
• Lessons learned: Legal and policy frameworks are essential for rapid, cross-jurisdictional action; technical detection rules must be updated as adversaries adapt.

Actionable Takeaways:

1. Establish legal agreements for rapid domain and account takedown.
2. Share abuse data and threat intelligence in real time.
3. Publish regular transparency reports to inform the public and ecosystem.

Impact:
After disruptions, APT28 shifted to new malware variants and infrastructure, but the frequency and impact of successful campaigns decreased, and detection speed improved.

4. (Breach Date 2023-2025) – Sandworm (APT44) and Hybrid State-Criminal Operations: Google TAG, Mandiant, and Partners

Description:
Google TAG, Mandiant, and partners have tracked and disrupted Russian GRU-linked Sandworm (APT44) operations targeting Ukraine and Europe. Sandworm leveraged commodity malware, ransomware, and wipers (e.g., NotPetya, Prestige) sourced from cybercrime communities. Cross-provider efforts included rapid takedown of malicious domains, sharing of IOCs, and coordinated public advisories. Google TAG’s transparency reports and joint advisories with government agencies highlighted the importance of multi-vendor collaboration and the blending of state and criminal TTPs.

Technical Analysis:

• Attack vector(s): Phishing, commodity malware (e.g., SmokeLoader, RADTHIEF), ransomware, destructive wipers, domain abuse.
• Mitigation techniques: Domain takedown, automated threat intelligence sharing, public-private joint advisories, technical detection rules.
• Inter-provider protocols: Automated feeds, joint task forces, legal mechanisms for domain seizure, public advisories.
• Impact: Disruptions forced Sandworm to rely more on criminal toolkits, increased operational costs, and improved victim protection. The blending of state and criminal TTPs complicated attribution but also exposed operational dependencies.
• Lessons learned: Persistent, multi-vendor collaboration is required to counter adaptive state actors; technical and legal frameworks must evolve to address hybrid threats.

Actionable Takeaways:

1. Participate in automated threat intelligence sharing platforms.
2. Coordinate with government and industry partners for rapid takedown.
3. Maintain transparency with public advisories and victim notifications.

Impact:
Sandworm’s reliance on criminal infrastructure increased after disruptions, but the frequency and impact of successful attacks decreased, and detection speed improved.

5. (Breach Date 2023-2025) – ISAC/CERT-Led Public-Private Disruptions (Multiple Sectors)

Description:
Sector-specific Information Sharing and Analysis Centers (ISACs), CERTs, and public-private partnerships have played a critical role in disrupting state-sponsored campaigns across healthcare, finance, and energy. These models leverage automated intelligence sharing, joint incident response, and coordinated legal action to reduce risk and impose costs on adversaries. The FS-ISAC 2024 report details frameworks for cryptographic agility, transition governance, and technical protocols for sector-wide resilience.

Technical Analysis:

• Attack vector(s): Sector-specific phishing, ransomware, supply chain attacks, cryptographic vulnerabilities.
• Mitigation techniques: Automated threat feeds, joint incident response, sector-wide advisories, cryptographic agility frameworks, technical playbooks.
• Inter-provider protocols: ISAC platforms, CERT coordination, government-industry task forces, technical standards for cryptographic agility.
• Impact: Faster detection and response, reduced victim impact, and increased adversary deterrence. Legal harmonization and technical standards remain ongoing challenges.
• Lessons learned: Ecosystem-wide collaboration is essential for resilience; legal harmonization and technical standards are critical for rapid cross-border action.

Actionable Takeaways:

1. Join and actively participate in sector ISACs and CERTs.
2. Develop joint playbooks for incident response and legal action.
3. Advocate for harmonized legal frameworks and technical standards.

Impact:
ISAC/CERT-led disruptions have led to measurable reductions in victimization, improved detection speed, and the evolution of public-private partnership models.

Recommendations, Actions, Suggested Pivots, Forecasts and Next Steps

(Subscribers Only)