Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files
Oct. 30, 2024, 11:08 p.m.
Description
On October 22, 2024, Microsoft identified a spear-phishing campaign in which Midnight Blizzard sent phishing emails to thousands of users in over 100 organizations. The emails were highly targeted, using social engineering lures relating to Microsoft, Amazon Web Services (AWS), and the concept of Zero Trust. The emails contained a Remote Desktop Protocol (RDP) configuration file signed with a LetsEncrypt certificate. RDP configuration (.RDP) files summarize automatic settings and resource mappings that are established when a successful connection to an RDP server occurs.
Tags
Date
- Created: Oct. 30, 2024, 10:04 p.m.
- Published: Oct. 30, 2024, 10:04 p.m.
- Modified: Oct. 30, 2024, 11:08 p.m.
Indicators
- us-west-2.ua-sec.cloud
- us-west-2.ua-energy.cloud
- us-west-2.gov-ua.cloud
- us-west-2-aws.ua-energy.cloud
- us-west-2-aws.s3-ua.cloud
- us-west-2-aws.mfa-gov.cloud
- us-west-1.ukrtelecom.cloud
- us-west-1.ua-gov.cloud
- us-west-1.ua-energy.cloud
- us-west-1.aws-ukraine.cloud
- us-west-1-aws.gov-ua.cloud
- us-west-1-amazon.ua-sec.cloud
- us-west-1-amazon.ua-mil.cloud
- us-west-1-amazon.ua-energy.cloud
- us-east-console.ua-energy.cloud
- us-east-2.ukrainesec.cloud
- us-east-console.aws-ukraine.cloud
- us-east-2.ua-sec.cloud
- us-east-2.gov-ua.cloud
- us-east-2.aws-ukraine.cloud
- us-east-2-aws.ukrtelecom.cloud
- us-east-2-aws.ua-gov.cloud
- us-east-2-aws.gov-ua.cloud
- us-east-1-aws.ua-sec.cloud
- us-east-1-aws.ua-gov.cloud
- us-east-1-aws.mfa-gov.cloud
- us-east-1-aws.s3-ua.cloud
- eu-west-3.ukrainesec.cloud
- eu-west-3.ukrtelecom.cloud
- eu-west-3.s3-ua.cloud
- eu-west-3.s3-be.cloud
- eu-west-3.mzv-sk.cloud
- eu-west-3.presidencia-pt.cloud
- eu-west-3.msz-pl.cloud
- eu-west-3.mindef-nl.cloud
- eu-west-3.minbuza.cloud
- eu-west-3.mil-pl.cloud
- eu-west-3.mil-be.cloud
- eu-west-3.aws-ukraine.cloud
- eu-west-3.amazonsolutions.cloud
- eu-west-3-aws.ua-mil.cloud
- eu-west-3-aws.s3-ua.cloud
- eu-west-3-aws.s3-be.cloud
- eu-west-3-aws.regeringskansliet-se.cloud
- eu-west-3-aws.quirinale.cloud
- eu-west-3-aws.mzv-sk.cloud
- eu-west-3-aws.msz-pl.cloud
- eu-west-3-aws.mindef-nl.cloud
- eu-west-3-aws.minbuza.cloud
- eu-west-3-aws.mil-pt.cloud
- eu-west-3-aws.mil-pl.cloud
- eu-west-3-aws.mil-be.cloud
- eu-west-3-aws.gov-trust.cloud
- eu-west-3-aws.gov-sk.cloud
- eu-west-3-aws.gov-pl.cloud
- eu-west-3-aws.difesa-it.cloud
- eu-west-3-aws.dep-no.cloud
- eu-west-2-aws.ua-sec.cloud
- eu-west-3-aws.aws-ukraine.cloud
- eu-west-2-aws.s3-ua.cloud
- eu-west-2-aws.s3-nato.cloud
- eu-west-2-aws.s3-esa.cloud
- eu-west-2-aws.s3-de.cloud
- eu-west-2-aws.s3-be.cloud
- eu-west-2-aws.quirinale.cloud
- eu-west-2-aws.mzv-sk.cloud
- eu-west-2-aws.mindef-nl.cloud
- eu-west-2-aws.msz-pl.cloud
- eu-west-2-aws.minbuza.cloud
- eu-west-2-aws.mil-be.cloud
- eu-west-2-aws.mil-pl.cloud
- eu-west-2-aws.gv-at.cloud
- eu-west-2-aws.gov-sk.cloud
- eu-west-2-aws.gov-pl.cloud
- eu-west-2-aws.difesa-it.cloud
- eu-west-2-aws.dep-no.cloud
- eu-west-2-aws.amazonsolutions.cloud
- eu-west-1.ukrtelecom.cloud
- eu-west-1.s3-ua.cloud
- eu-west-1.ua-gov.cloud
- eu-west-1.s3-esa.cloud
- eu-west-1.s3-de.cloud
- eu-west-1.mzv-sk.cloud
- eu-west-1.regeringskansliet-se.cloud
- eu-west-1.msz-pl.cloud
- eu-west-1.minbuza.cloud
- eu-west-1.mil-pl.cloud
- eu-west-1.gov-sk.cloud
- eu-west-1.mil-be.cloud
- eu-west-1.difesa-it.cloud
- eu-west-1.aws-ukraine.cloud
- eu-west-1-aws.ukrainesec.cloud
- eu-west-1-aws.ua-sec.cloud
- eu-west-1-aws.s3-nato.cloud
- eu-west-1-aws.s3-esa.cloud
- eu-west-1-aws.s3-de.cloud
- eu-west-1-aws.s3-be.cloud
- eu-west-1-aws.quirinale.cloud
- eu-west-1-aws.mil-pl.cloud
- eu-west-1-aws.minbuza.cloud
- eu-west-1-aws.mil-be.cloud
- eu-west-1-aws.gov-ua.cloud
- eu-west-1-aws.gov-trust.cloud
- eu-west-1-aws.gov-sk.cloud
- eu-west-1-aws.gov-pl.cloud
- eu-west-1-aws.aws-ukraine.cloud
- eu-west-1-aws.dep-no.cloud
- eu-west-1-aws.amazonsolutions.cloud
- eu-southeast-1-aws.ukrainesec.cloud
- eu-southeast-1-aws.ua-energy.cloud
- eu-southeast-1-aws.s3-ua.cloud
- eu-southeast-1-aws.s3-esa.cloud
- eu-southeast-1-aws.s3-de.cloud
- eu-southeast-1-aws.s3-be.cloud
- eu-southeast-1-aws.quirinale.cloud
- eu-southeast-1-aws.mzv-sk.cloud
- eu-southeast-1-aws.mzv-cz.cloud
- eu-southeast-1-aws.msz-pl.cloud
- eu-southeast-1-aws.mindef-nl.cloud
- eu-southeast-1-aws.mil-be.cloud
- eu-southeast-1-aws.mil-pl.cloud
- eu-southeast-1-aws.gov-trust.cloud
- eu-southeast-1-aws.gov-sk.cloud
- eu-southeast-1-aws.difesa-it.cloud
- eu-southeast-1-aws.amazonsolutions.cloud
- eu-southeast-1-aws.dep-no.cloud
- eu-southeast-1-aws.aws-ukraine.cloud
- eu-south-2.ukrainesec.cloud
- eu-south-2.ua-sec.cloud
- eu-south-2.s3-nato.cloud
- eu-south-2.s3-de.cloud
- eu-south-2.s3-esa.cloud
- eu-south-2.s3-be.cloud
- eu-south-2.mindef-nl.cloud
- eu-south-2.mil-be.cloud
- eu-south-2.mil-pl.cloud
- eu-south-2.gov-pl.cloud
- eu-south-2.gov-sk.cloud
- eu-south-2.dep-no.cloud
- eu-south-2-aws.s3-ua.cloud
- eu-south-2-aws.ua-gov.cloud
- eu-south-2-aws.s3-nato.cloud
- eu-south-2-aws.s3-esa.cloud
- eu-south-2-aws.s3-de.cloud
- eu-south-2-aws.s3-be.cloud
- eu-south-2-aws.quirinale.cloud
- eu-south-2-aws.regeringskansliet-se.cloud
- eu-south-2-aws.ncfta.cloud
- eu-south-2-aws.mzv-sk.cloud
- eu-south-2-aws.msz-pl.cloud
- eu-south-2-aws.minbuza.cloud
- eu-south-2-aws.mil-be.cloud
- eu-south-2-aws.mil-pt.cloud
- eu-south-2-aws.mil-pl.cloud
- eu-south-2-aws.gov-sk.cloud
- eu-south-2-aws.mfa-gov.cloud
- eu-south-2-aws.gov-pl.cloud
- eu-south-2-aws.dep-no.cloud
- eu-south-2-aws.amazonsolutions.cloud
- eu-south-1-aws.ua-gov.cloud
- eu-south-1-aws.s3-de.cloud
- eu-south-1-aws.s3-be.cloud
- eu-south-1-aws.quirinale.cloud
- eu-south-1-aws.mzv-sk.cloud
- eu-south-1-aws.minbuza.cloud
- eu-south-1-aws.mil-be.cloud
- eu-south-1-aws.mfa-gov.cloud
- eu-south-1-aws.gov-trust.cloud
- eu-south-1-aws.gov-pl.cloud
- eu-south-1-aws.difesa-it.cloud
- eu-south-1-aws.dep-no.cloud
- eu-south-1-aws.admin-ch.cloud
- eu-north-1.s3-ua.cloud
- eu-north-1.s3-de.cloud
- eu-north-1.s3-be.cloud
- eu-north-1.regeringskansliet-se.cloud
- eu-north-1.ncfta.cloud
- eu-north-1.mil-pl.cloud
- eu-north-1.mzv-sk.cloud
- eu-north-1.mil-be.cloud
- eu-north-1.gv-at.cloud
- eu-north-1.gov-ua.cloud
- eu-north-1.gov-trust.cloud
- eu-north-1.difesa-it.cloud
- eu-north-1-aws.ua-gov.cloud
- eu-north-1-aws.ua-energy.cloud
- eu-north-1-aws.s3-de.cloud
- eu-north-1-aws.s3-be.cloud
- eu-north-1-aws.regeringskansliet-se.cloud
- eu-north-1-aws.quirinale.cloud
- eu-north-1-aws.presidencia-pt.cloud
- eu-north-1-aws.minbuza.cloud
- eu-north-1-aws.ncfta.cloud
- eu-north-1-aws.mil-pl.cloud
- eu-north-1-aws.mil-be.cloud
- eu-north-1-aws.gov-sk.cloud
- eu-north-1-aws.gov-pl.cloud
- eu-north-1-aws.dep-no.cloud
- eu-north-1-aws.difesa-it.cloud
- eu-east-1-aws.ukrtelecom.cloud
- eu-east-1-aws.s3-de.cloud
- eu-east-1-aws.ua-sec.cloud
- eu-east-1-aws.ua-gov.cloud
- eu-east-1-aws.s3-be.cloud
- eu-east-1-aws.quirinale.cloud
- eu-east-1-aws.regeringskansliet-se.cloud
- eu-east-1-aws.msz-pl.cloud
- eu-east-1-aws.mzv-sk.cloud
- eu-east-1-aws.mindef-nl.cloud
- eu-east-1-aws.minbuza.cloud
- eu-east-1-aws.mil-pl.cloud
- eu-east-1-aws.mil-be.cloud
- eu-east-1-aws.gov-sk.cloud
- eu-east-1-aws.gov-ua.cloud
- eu-east-1-aws.dep-no.cloud
- eu-central-2-aws.ukrtelecom.cloud
- eu-east-1-aws.amazonsolutions.cloud
- eu-central-2-aws.ua-mil.cloud
- eu-central-2-aws.s3-be.cloud
- eu-central-2-aws.regeringskansliet-se.cloud
- eu-central-2-aws.ua-gov.cloud
- eu-central-2-aws.presidencia-pt.cloud
- eu-central-2-aws.mzv-sk.cloud
- eu-central-2-aws.msz-pl.cloud
- eu-central-2-aws.mindef-nl.cloud
- eu-central-2-aws.mil-pl.cloud
- eu-central-2-aws.mil-be.cloud
- eu-central-2-aws.gov-sk.cloud
- eu-central-2-aws.gov-pl.cloud
- eu-central-2-aws.dep-no.cloud
- eu-central-2-aws.aws-ukraine.cloud
- eu-central-2-aws.amazonsolutions.cloud
- eu-central-1.ua-gov.cloud
- eu-central-1.ukrtelecom.cloud
- eu-central-1.ua-sec.cloud
- eu-central-1.s3-nato.cloud
- eu-central-1.s3-be.cloud
- eu-central-1.s3-esa.cloud
- eu-central-1.regeringskansliet-se.cloud
- eu-central-1.quirinale.cloud
- eu-central-1.msz-pl.cloud
- eu-central-1.mindef-nl.cloud
- eu-central-1.minbuza.cloud
- eu-central-1.mil-pl.cloud
- eu-central-1.mil-be.cloud
- eu-central-1.mfa-gov.cloud
- eu-central-1-aws.ukrainesec.cloud
- eu-central-1.difesa-it.cloud
- eu-central-1-aws.ua-gov.cloud
- eu-central-1-aws.s3-ua.cloud
- eu-central-1-aws.s3-be.cloud
- eu-central-1-aws.regeringskansliet-se.cloud
- eu-central-1-aws.ncfta.cloud
- eu-central-1-aws.quirinale.cloud
- eu-central-1-aws.presidencia-pt.cloud
- eu-central-1-aws.mzv-sk.cloud
- eu-central-1-aws.mindef-nl.cloud
- eu-central-1-aws.msz-pl.cloud
- eu-central-1-aws.minbuza.cloud
- eu-central-1-aws.gov-trust.cloud
- eu-central-1-aws.mfa-gov.cloud
- eu-central-1-aws.gov-sk.cloud
- eu-central-1-aws.gov-pl.cloud
- eu-central-1-aws.amazonsolutions.cloud
- eu-central-1-aws.dep-no.cloud
- central-2-aws.ukrtelecom.cloud
- central-2-aws.ukrainesec.cloud
- central-2-aws.ua-sec.cloud
- central-2-aws.ua-mil.cloud
- ca-west-1.mfa-gov.cloud
- ca-west-1.ukrtelecom.cloud
- ca-west-1.aws-ukraine.cloud
- ca-central-1.ua-gov.cloud
- ca-central-1.gov-ua.cloud
- ap-northeast-1-aws.ukrainesec.cloud
- ap-northeast-1-aws.s3-ua.cloud
- totalconstruction.com.au
- townoflakelure.com
- swpartners.com.au
- cewalton.com
- sellar.co.uk
Attack Patterns
- HustleCon
- Midnight Blizzard
- T1115
- T1199
- T1021
- T1176
- T1566