The Russia-linked threat group known as APT28 has changed up its tactics to include Office 365 password-cracking and credential-harvesting.
Microsoft researchers have tied APT28 (a.k.a. Strontium, Sofacy or Fancy Bear) to this newly uncovered pattern of O365 activity, which began in April and is ongoing. The attacks have been aimed mainly at U.S. and U.K. organizations directly involved in political elections.
The APT often works to obtain valid credentials in order to mount espionage campaigns or move laterally through networks – in fact, Microsoft telemetry shows that the group launched credential-harvesting attacks against tens of thousands of accounts at more than 200 organizations between last September and June. Between August 18 and September 3, the group (unsuccessfully) targeted 6,912 O365 accounts belonging to 28 organizations.