Microsoft discovered a large-scale spear-phishing campaign launched by a Russia-backed hacker group, which aims to gather intelligence by exploiting Remote Desktop Protocol () files in phishing emails. The attack targeted critical sectors globally, including government, defense, academic, and non-governmental organizations.

According to the data, the Midnight Blizzard campaign commenced on [Year] [Month] [Day] and continued to impact targeted users in the UK, Europe, Australia, and Japan.

This activity marks a shift in the Midnight Blizzard methodology, introducing the use of signature profiles embedded within phishing emails, a technique that allows attackers to control target systems and obtain sensitive data.

Midnight Blizzard ( ), also known as or " ", is affiliated with the Russian Foreign Intelligence Service ( ) and has been engaged in intelligence collection activities since . Its targets primarily include government entities, non-governmental organizations, and providers, with its operational center located in the United States and Europe.

Various means have been previously employed to infiltrate the target, including credential theft, lateral movement within cloud environments, and supply chain intrusions. Notably, the group utilized sophisticated malware such as and to penetrate the Joint Services ( ) environment, enabling long-term covert access to sensitive data.

The spear-phishing emails used in this attack campaign were highly targeted, employing mimicry tactics to reference well-known companies such as and . These emails contained embedded configuration profiles that prompted recipients to initiate remote connections, thereby granting attackers access to various system resources.

Microsoft reveals that once the target opens this malicious file, a connection to the controlled server is established, allowing direct access:

• files and directories
• Connected network drives and peripherals (such as smart cards, printers)
• Clipboard data and authentication mechanisms, such as and security keys

Through these connections, attackers can deploy additional malware, such as remote access trojans (), to maintain long-term access to infected devices and networks. Microsoft's analysis indicates that resources and credentials of infected systems may be exposed to attackers, potentially leading to broader organizational infiltration.

Microsoft shared key details related to this activity, providing specifics on domains and addresses associated with servers controlled by attackers. The targeted domains include infected organizations across various departments, while the filenames used in phishing emails (such as "Compliance Check." and "Zero Trust Architecture Configuration.") serve as lures tailored to tech-savvy targets within the organization.

To defend against this threat, it is recommended that users employ firewalls to restrict outbound connections, implement multi-factor authentication (MFA) using methods such as tokens to prevent phishing, and enable tamper protection, network protection, and protection in .