{"id":136186,"date":"2024-10-29T12:00:00","date_gmt":"2024-10-29T19:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=136186"},"modified":"2024-11-08T07:06:14","modified_gmt":"2024-11-08T15:06:14","slug":"midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/","title":{"rendered":"Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files"},"content":{"rendered":"\n<p>Since October 22, 2024, Microsoft Threat Intelligence has observed Russian threat actor Midnight Blizzard sending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors. This activity is ongoing, and Microsoft will continue to investigate and provide updates as available. Based on our investigation of previous Midnight Blizzard spear-phishing campaigns, we assess that the goal of this operation is likely intelligence collection. Microsoft is releasing this blog to notify the public and disrupt this threat actor activity. This blog provides context on these external spear-phishing attempts, which are common attack techniques and do not represent any new compromise of Microsoft.<\/p>\n\n\n\n<p>The spear-phishing emails in this campaign were sent to thousands of targets in over 100 organizations and contained a signed Remote Desktop Protocol (RDP) configuration file that connected to an actor-controlled server. In some of the lures, the actor attempted to add credibility to their malicious messages by impersonating Microsoft employees. The threat actor also referenced other cloud providers in the phishing lures. <\/p>\n\n\n\n<p>While this campaign focuses on many of Midnight Blizzard\u2019s usual targets, the use of a signed RDP configuration file to gain access to the targets\u2019 devices represents a novel access vector for this actor. Overlapping activity has<a> <\/a>also been reported by the Government Computer Emergency Response Team of Ukraine (CERT-UA) under the designation <a href=\"https:\/\/cert.gov.ua\/article\/6281076\">UAC-0215<\/a> and also by <a href=\"https:\/\/aws.Alpha XR\/blogs\/security\/amazon-identified-internet-domains-abused-by-apt29\/\">Amazon<\/a>.<\/p>\n\n\n\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/tag\/midnight-blizzard-nobelium\/\">Midnight Blizzard<\/a> is a Russian threat actor attributed by the <a href=\"https:\/\/www.nsa.gov\/Press-Room\/Press-Releases-Statements\/Press-Release-View\/Article\/3931959\/nsa-issues-updated-guidance-on-russian-svr-cyber-operations\/\">United States<\/a> and United Kingdom governments to the Foreign Intelligence Service of the Russian Federation, also known as the SVR. This threat actor is known to primarily target governments, diplomatic entities, non-governmental organizations (NGOs), and IT service providers, primarily in the United States and Europe. Its focus is to collect intelligence through longstanding and dedicated espionage of foreign interests that can be traced to early 2018. Its operations often involve compromise of valid accounts and, in some highly targeted cases, advanced techniques to compromise authentication mechanisms within an organization to expand access and evade detection.<\/p>\n\n\n\n<p>Midnight Blizzard is consistent and persistent in its operational targeting, and its objectives rarely change. It uses diverse initial access methods, including spear phishing, stolen credentials, supply chain attacks, compromise of on-premises environments to laterally move to the cloud, and leveraging service providers\u2019 trust chain to gain access to downstream customers. Midnight Blizzard is known to use the Active Directory Federation Service (AD FS) malware known as <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/09\/27\/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor\">FOGGYWEB<\/a> and <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/08\/24\/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone\">MAGICWEB<\/a>. Midnight Blizzard is identified by peer security vendors as APT29, UNC2452, and Cozy Bear.<\/p>\n\n\n\n<p>As with any observed nation-state actor activity, Microsoft is in the process of directly notifying customers that have been targeted or compromised, providing them with the necessary information to secure their accounts. Strong anti-phishing measures will help to mitigate this threat. As part of our commitment to helping protect against cyber threats, we provide indicators of compromise (IOCs), hunting queries, detection details, and recommendations at the end of this post.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"spear-phishing-campaign\">Spear-phishing campaign<\/h2>\n\n\n\n<p>On October 22, 2024, Microsoft identified a spear-phishing campaign in which Midnight Blizzard sent phishing emails to thousands of users in over 100 organizations. The emails were highly targeted, using social engineering lures relating to Microsoft, Amazon Web Services (AWS), and the concept of Zero Trust. The emails contained a Remote Desktop Protocol (RDP) configuration file signed with a LetsEncrypt certificate. RDP configuration (.RDP) files summarize automatic settings and resource mappings that are established when a successful connection to an RDP server occurs.&nbsp;These configurations extend features and resources of the local system to a remote server, controlled by the actor.<\/p>\n\n\n\n<p>In this campaign, the malicious .RDP attachment contained several sensitive settings that would lead to significant information exposure. Once the target system was compromised, it connected to the actor-controlled server and bidirectionally mapped the targeted user\u2019s local device\u2019s resources to the server. Resources sent to the server may include, but are not limited to, all logical hard disks, clipboard contents, printers, connected peripheral devices, audio, and authentication features and facilities of the Windows operating system, including smart cards. This access could enable the threat actor to install malware on the target\u2019s local drive(s) and mapped network share(s), particularly in AutoStart folders, or install additional tools such as remote access trojans (RATs) to maintain access when the RDP session is closed. The process of establishing an RDP connection to the actor-controlled system may also expose the credentials of the user signed in to the target system.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/Figure1.webp\" alt=\"A screenshot of the dialog box to allow the malicious remote connection initiated by the threat actor\" class=\"wp-image-136187 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/Figure1.webp\"><figcaption class=\"wp-element-caption\">Figure 1. Malicious remote connection<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"rdp-connection\">RDP connection<\/h3>\n\n\n\n<p>When the target user opened the .RDP attachment, an RDP connection was established to an actor-controlled system. The configuration of the RDP connection then allowed the actor-controlled system to discover and use information about the target system, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Files and directories<\/li>\n\n\n\n<li>Connected network drives<\/li>\n\n\n\n<li>Connected peripherals, including smart cards, printers, and microphones<\/li>\n\n\n\n<li>Web authentication using Windows Hello, passkeys, or security keys<\/li>\n\n\n\n<li>Clipboard data<\/li>\n\n\n\n<li>Point of Service (also known as Point of Sale or POS) devices<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"targets\">Targets<\/h3>\n\n\n\n<p>Microsoft has observed this campaign targeting governmental agencies, higher education, defense, and non-governmental organizations in dozens of countries, but particularly in the United Kingdom, Europe, Australia, and Japan. This target set is consistent with other Midnight Blizzard phishing campaigns.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"email-infrastructure\">Email infrastructure<\/h3>\n\n\n\n<p>Midnight Blizzard sent the phishing emails in this campaign using email addresses belonging to legitimate organizations that were gathered during previous compromises. The domains used are listed in the IOC section below.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"mitigations\">Mitigations<\/h2>\n\n\n\n<p>Microsoft recommends the following mitigations to reduce the impact of this threat.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"strengthen-operating-environment-configuration\">Strengthen operating environment configuration<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Utilize <a href=\"https:\/\/learn.microsoft.com\/windows\/security\/operating-system-security\/network-security\/windows-firewall\/\">Windows Firewall<\/a> or <a href=\"https:\/\/docs.microsoft.com\/windows\/security\/threat-protection\/windows-firewall\/windows-firewall-with-advanced-security\">Windows Firewall with Advanced Security<\/a> to help prevent or restrict outbound RDP connection attempts to external or public networks external or public networks<\/li>\n\n\n\n<li>Require <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/admin\/security-and-compliance\/set-up-multi-factor-authentication\">multifactor authentication (MFA)<\/a>. Implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats.<\/li>\n\n\n\n<li>Leverage <a href=\"https:\/\/learn.microsoft.com\/entra\/identity\/authentication\/concept-authentication-methods\">phishing-resistant authentication methods<\/a> such as FIDO Tokens, or <a href=\"https:\/\/www.microsoft.com\/security\/mobile-authenticator-app\">Microsoft Authenticator<\/a> with number matching. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.<\/li>\n\n\n\n<li>Implement <a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/authentication\/concept-authentication-strengths\">Conditional Access authentication strength<\/a> to require phishing-resistant authentication for employees and external users for critical apps.<\/li>\n\n\n\n<li>Encourage users to use Microsoft Edge and other web browsers that support <a href=\"https:\/\/learn.microsoft.com\/deployedge\/microsoft-edge-security-smartscreen\">Microsoft Defender SmartScreen<\/a>, which identifies and help blocks malicious websites, including phishing sites, scam sites, and sites that host malware.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"strengthen-endpoint-security-configuration\">Strengthen endpoint security configuration<\/h3>\n\n\n\n<p>If you are using Microsoft Defender for Endpoint take the following steps:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensure <a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection\">tamper protection<\/a> is turned on in Microsoft Defender for Endpoint.<\/li>\n\n\n\n<li>Turn on <a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/enable-network-protection\">network protection<\/a> in Microsoft Defender for Endpoint.<\/li>\n\n\n\n<li>Turn on <a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/web-protection-overview\">web protection<\/a>.<\/li>\n\n\n\n<li>Run <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/edr-in-block-mode\">endpoint detection and response&nbsp;(EDR) in block mode<\/a>&nbsp;so that Microsoft Defender for Endpoint can help block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to help remediate malicious artifacts that are detected post-breach.<\/li>\n\n\n\n<li>Configure&nbsp;<a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/automated-investigations\">investigation and remediation<\/a>&nbsp;in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to help resolve breaches, significantly reducing alert volume.&nbsp;<\/li>\n\n\n\n<li>Microsoft Defender XDR customers can turn on the following&nbsp;<a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction\">attack surface reduction rules<\/a>&nbsp;to help prevent common attack techniques used by threat actors.<ul><li><a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/attack-surface-reduction-rules-reference#block-executable-content-from-email-client-and-webmail\">Block<\/a> executable content from email client and webmail<\/li><\/ul>\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/attack-surface-reduction-rules-reference#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion\">Block<\/a> executable files from running unless they meet a prevalence, age, or trusted list criterion<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"strengthen-antivirus-configuration\">Strengthen antivirus configuration<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Turn on&nbsp;<a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/configure-block-at-first-sight-microsoft-defender-antivirus\">cloud-delivered protection<\/a>&nbsp;in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to help cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections help block a majority of new and unknown variants.<\/li>\n\n\n\n<li>Enable Microsoft Defender Antivirus scanning of <a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/configure-advanced-scan-types-microsoft-defender-antivirus\">downloaded files and attachments<\/a>.<\/li>\n\n\n\n<li>Enable Microsoft Defender Antivirus <a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/configure-real-time-protection-microsoft-defender-antivirus\">real-time protection<\/a>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"strengthen-microsoft-office-365-configuration\">Strengthen Microsoft Office 365 configuration<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Turn on <a href=\"https:\/\/learn.microsoft.com\/defender-office-365\/safe-links-about\">Safe Links<\/a> and <a href=\"https:\/\/learn.microsoft.com\/defender-office-365\/safe-attachments-about\">Safe Attachments<\/a> for Office 365.<\/li>\n\n\n\n<li>Enable <a href=\"https:\/\/learn.microsoft.com\/defender-office-365\/zero-hour-auto-purge\">Zero-hour auto purge (ZAP)<\/a> in Office 365 to help quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"strengthen-email-security-configuration\">Strengthen email security configuration<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Invest in <a href=\"https:\/\/learn.microsoft.com\/defender-office-365\/anti-phishing-protection-about#additional-anti-phishing-protection-in-microsoft-defender-for-office-365\">advanced anti-phishing<\/a> solutions that monitor incoming emails and visited websites. For example, <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender\/microsoft-365-security-center-mdo\">Microsoft Defender for Office 365<\/a> merges incident and alert management across email, devices, and identities, centralizing investigations for email-based threats. Organizations can also leverage web browsers that automatically <a href=\"https:\/\/learn.microsoft.com\/deployedge\/microsoft-edge-security-smartscreen\">identify and help block<\/a> malicious websites, including those used in phishing activities.<\/li>\n\n\n\n<li>If you are using Microsoft Defender for Office 365, configure it to <a href=\"https:\/\/learn.microsoft.com\/defender-office-365\/safe-links-about\">recheck links on click<\/a>. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft 365 applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular <a href=\"https:\/\/learn.microsoft.com\/defender-office-365\/anti-spam-protection-about\">anti-spam<\/a> and <a href=\"https:\/\/learn.microsoft.com\/defender-office-365\/anti-malware-protection-about\">anti-malware<\/a> protection in inbound email messages in <a href=\"https:\/\/products.office.com\/exchange\/exchange-email-security-spam-protection\">Microsoft Exchange Online Protection (EOP)<\/a>. Safe Links scanning can help protect an organization from malicious links used in phishing and other attacks.<\/li>\n\n\n\n<li>If you are using Microsoft Defender for Office 365, use the <a href=\"https:\/\/learn.microsoft.com\/defender-office-365\/attack-simulation-training-get-started\">Attack Simulator<\/a> in Microsoft Defender for Office 365 to run realistic, yet safe, simulated phishing and password attack campaigns. Run spear-phishing (credential harvest) simulations to train end-users against clicking URLs in unsolicited messages and disclosing credentials.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"conduct-user-education\">Conduct user education<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Robust user education can help mitigate the threat of social engineering and phishing emails. Companies should have a user education program that highlights how to identify and report suspicious emails.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"microsoft-defender-xdr-detections\">Microsoft Defender XDR detections<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-for-endpoint\">Microsoft Defender for Endpoint<\/h3>\n\n\n\n<p>The following alerts may also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Midnight Blizzard Actor activity group<\/li>\n\n\n\n<li>Suspicious RDP session<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-antivirus\">Microsoft Defender Antivirus<\/h3>\n\n\n\n<p>Microsoft Defender Antivirus detects at least some of the malicious .RDP files as the following signature:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Backdoor:Script\/HustleCon.A<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-for-cloud\">Microsoft Defender for Cloud<\/h3>\n\n\n\n<p>The following alerts may also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Communication with suspicious domain identified by threat intelligence<\/li>\n\n\n\n<li>Suspicious outgoing RDP network activity<\/li>\n\n\n\n<li>Traffic detected from IP addresses recommended for blocking<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-for-office-365\">Microsoft Defender for Office 365<\/h3>\n\n\n\n<p>Microsoft Defender for Office 365 raises alerts on this campaign using email- and attachment-based detections. Additionally, hunting signatures and an RDP file parser have been incorporated into detections to block similar campaigns in the future. Defenders can identify such activity in alert titles referencing RDP, for example, <em>Trojan_RDP*<\/em>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"threat-intelligence-reports\">Threat intelligence reports<\/h2>\n\n\n\n<p>Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide threat intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.<\/p>\n\n\n\n<p><strong>Microsoft Defender Threat Intelligence<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/security.microsoft.com\/intel-explorer\/articles\/a69605f8\">Midnight Blizzard targets NGOs in new wave of initial access campaigns<\/a>.<\/li>\n\n\n\n<li><a href=\"https:\/\/security.microsoft.com\/intel-explorer\/articles\/af5bdd1c\">Midnight Blizzard targets diplomatic, NGOs, and humanitarian organizations in global spear phishing activity<\/a>.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"hunting-queries\">Hunting queries<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-xdr\">Microsoft Defender XDR<\/h3>\n\n\n\n<p><strong>Identify potential Midnight Blizzard targeted recipients<\/strong>&nbsp;<\/p>\n\n\n\n<p>Surface possible targeted email accounts within the environment where the email sender originated from a Midnight Blizzard compromised domain related to the RDP activity. <\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title=\"\">\nEmailEvents \n| where SenderFromDomain in~ (&quot;sellar.co.uk&quot;, &quot;townoflakelure.com&quot;, &quot;totalconstruction.com.au&quot;, &quot;swpartners.com.au&quot;, &quot;cewalton.com&quot;) \n| project SenderFromDomain, SenderFromAddress, RecipientEmailAddress, Subject, Timestamp \n<\/pre><\/div>\n\n\n<p><strong>Surface potential targets of an RDP attachment phishing attempt<\/strong><\/p>\n\n\n\n<p>Surface emails that contain a remote desktop protocol (RDP) file attached. This may indicate that the recipient of the email may have been targeted in an RDP attachment phishing attack attempt. <\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title=\"\">\nEmailAttachmentInfo\n| where FileName has &quot;.rdp&quot;\n| join kind=inner (EmailEvents) on NetworkMessageId\n| project SenderFromAddress, RecipientEmailAddress, Subject, Timestamp, FileName, FileType\n<\/pre><\/div>\n\n\n<p><strong>Identify potential successfully targeted assets in an RDP attachment phishing attack<\/strong><\/p>\n\n\n\n<p>Surface devices that may have been targeted in an email with an RDP file attached, followed by an RDP connection attempt from the device to an external network. This combined activity may indicate that a device may have been successfully targeted in an RDP attachment phishing attack. <\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title=\"\">\n\/\/ Step 1: Identify emails with RDP attachments\nlet rdpEmails = EmailAttachmentInfo\n| where FileName has &quot;.rdp&quot;\n| join kind=inner (EmailEvents) on NetworkMessageId\n| project EmailTimestamp = Timestamp, RecipientEmailAddress, NetworkMessageId, SenderFromAddress;\n\/\/ Step 2: Identify outbound RDP connections\nlet outboundRDPConnections = DeviceNetworkEvents\n| where RemotePort == 3389\n| where ActionType == &quot;ConnectionAttempt&quot;\n| where RemoteIPType == &quot;Public&quot;\n| project RDPConnectionTimestamp = Timestamp, DeviceId, InitiatingProcessAccountUpn, RemoteIP;\n\/\/ Step 3: Correlate email and network events\nrdpEmails\n| join kind=inner (outboundRDPConnections) on $left.RecipientEmailAddress == $right.InitiatingProcessAccountUpn\n| project EmailTimestamp, RecipientEmailAddress, SenderFromAddress, RDPConnectionTimestamp, DeviceId, RemoteIP\n<\/pre><\/div>\n\n\n<p><strong>Threat actor RDP connection files attached to email<\/strong><\/p>\n\n\n\n<p>Surface users that may have received an RDP connection file attached in email that have been observed in this attack from Midnight Blizzard.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title=\"\">\nEmailAttachmentInfo\n| where FileName in~ (\n    &quot;AWS IAM Compliance Check.rdp&quot;,\n    &quot;AWS IAM Configuration.rdp&quot;,\n    &quot;AWS IAM Quick Start.rdp&quot;,\n    &quot;AWS SDE Compliance Check.rdp&quot;,\n    &quot;AWS SDE Environment Check.rdp&quot;,\n    &quot;AWS Secure Data Exchange - Compliance Check.rdp&quot;,\n    &quot;AWS Secure Data Exchange Compliance.rdp&quot;,\n    &quot;Device Configuration Verification.rdp&quot;,\n    &quot;Device Security Requirements Check.rdp&quot;,\n    &quot;IAM Identity Center Access.rdp&quot;,\n    &quot;IAM Identity Center Application Access.rdp&quot;,\n    &quot;Zero Trust Architecture Configuration.rdp&quot;,\n    &quot;Zero Trust Security Environment Compliance Check.rdp&quot;,\n    &quot;ZTS Device Compatibility Test.rdp&quot;\n)\n| project Timestamp, FileName, SHA256, RecipientEmailAddress, SenderDisplayName, SenderFromAddress\n<\/pre><\/div>\n\n\n<h3 class=\"wp-block-heading\" id=\"microsoft-sentinel\">Microsoft Sentinel<\/h3>\n\n\n\n<p>Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the <a href=\"https:\/\/learn.microsoft.com\/azure\/sentinel\/sentinel-solutions-deploy\">Microsoft Sentinel Content Hub<\/a> to have the analytics rule deployed in their Sentinel workspace.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"indicators-of-compromise\">Indicators of compromise<\/h2>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"email-sender-domains\">Email sender domains <\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-table table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Domains<\/strong><\/td><td><strong>Last seen<\/strong><\/td><\/tr><tr><td>sellar[.]co.uk<\/td><td>&nbsp;October 23, 2024<\/td><\/tr><tr><td>townoflakelure[.]com<\/td><td>&nbsp;October 23, 2024<\/td><\/tr><tr><td>totalconstruction[.]com.au<\/td><td>&nbsp;October 23, 2024<\/td><\/tr><tr><td>swpartners[.]com.au<\/td><td>&nbsp;October 23, 2024<\/td><\/tr><tr><td>cewalton[.]com<\/td><td>&nbsp;October 23, 2024<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"rdp-file-names\">RDP file names<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AWS IAM Compliance Check.rdp<\/li>\n\n\n\n<li>AWS IAM Configuration.rdp<\/li>\n\n\n\n<li>AWS IAM Quick Start.rdp<\/li>\n\n\n\n<li>AWS SDE Compliance Check.rdp<\/li>\n\n\n\n<li>AWS SDE Environment Check.rdp<\/li>\n\n\n\n<li>AWS SDE Environment Check.rdp\u202f<\/li>\n\n\n\n<li>AWS Secure Data Exchange &#8211; Compliance Check.rdp<\/li>\n\n\n\n<li>AWS Secure Data Exchange Compliance.rdp<\/li>\n\n\n\n<li>Device Configuration Verification.rdp<\/li>\n\n\n\n<li>Device Security Requirements Check.rdp<\/li>\n\n\n\n<li>IAM Identity Center Access.rdp<\/li>\n\n\n\n<li>IAM Identity Center Application Access.rdp<\/li>\n\n\n\n<li>Zero Trust Architecture Configuration.rdp<\/li>\n\n\n\n<li>Zero Trust Security Environment Compliance Check.rdp<\/li>\n\n\n\n<li>ZTS Device Compatibility Test.rdp<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"rdp-remote-computer-domains\">RDP remote computer domains<\/h4>\n\n\n\n<figure class=\"wp-block-table table\"><table class=\"has-fixed-layout\"><tbody><tr><td>ap-northeast-1-aws.s3-ua[.]cloud<\/td><td>ap-northeast-1-aws.ukrainesec[.]cloud<\/td><\/tr><tr><td>ca-central-1.gov-ua[.]cloud<\/td><td>ca-central-1.ua-gov[.]cloud<\/td><\/tr><tr><td>ca-west-1.aws-ukraine[.]cloud<\/td><td>ca-west-1.mfa-gov[.]cloud<\/td><\/tr><tr><td>ca-west-1.ukrtelecom[.]cloud<\/td><td>central-2-aws.ua-mil[.]cloud<\/td><\/tr><tr><td>central-2-aws.ua-sec[.]cloud<\/td><td>central-2-aws.ukrainesec[.]cloud<\/td><\/tr><tr><td>central-2-aws.ukrtelecom[.]cloud<\/td><td>eu-central-1.difesa-it[.]cloud<\/td><\/tr><tr><td>eu-central-1.mfa-gov[.]cloud<\/td><td>eu-central-1.mil-be[.]cloud<\/td><\/tr><tr><td>eu-central-1.mil-pl[.]cloud<\/td><td>eu-central-1.minbuza[.]cloud<\/td><\/tr><tr><td>eu-central-1.mindef-nl[.]cloud<\/td><td>eu-central-1.msz-pl[.]cloud<\/td><\/tr><tr><td>eu-central-1.quirinale[.]cloud<\/td><td>eu-central-1.regeringskansliet-se[.]cloud<\/td><\/tr><tr><td>eu-central-1.s3-be[.]cloud<\/td><td>eu-central-1.s3-esa[.]cloud<\/td><\/tr><tr><td>eu-central-1.s3-nato[.]cloud<\/td><td>eu-central-1.ua-gov[.]cloud<\/td><\/tr><tr><td>eu-central-1.ua-sec[.]cloud<\/td><td>eu-central-1.ukrtelecom[.]cloud<\/td><\/tr><tr><td>eu-central-1-aws.amazonsolutions[.]cloud<\/td><td>eu-central-1-aws.dep-no[.]cloud<\/td><\/tr><tr><td>eu-central-1-aws.gov-pl[.]cloud<\/td><td>eu-central-1-aws.gov-sk[.]cloud<\/td><\/tr><tr><td>eu-central-1-aws.gov-trust[.]cloud<\/td><td>eu-central-1-aws.mfa-gov[.]cloud<\/td><\/tr><tr><td>eu-central-1-aws.minbuza[.]cloud<\/td><td>eu-central-1-aws.mindef-nl[.]cloud<\/td><\/tr><tr><td>eu-central-1-aws.msz-pl[.]cloud<\/td><td>eu-central-1-aws.mzv-sk[.]cloud<\/td><\/tr><tr><td>eu-central-1-aws.ncfta[.]cloud<\/td><td>eu-central-1-aws.presidencia-pt[.]cloud<\/td><\/tr><tr><td>eu-central-1-aws.quirinale[.]cloud<\/td><td>eu-central-1-aws.regeringskansliet-se[.]cloud<\/td><\/tr><tr><td>eu-central-1-aws.s3-be[.]cloud<\/td><td>eu-central-1-aws.s3-ua[.]cloud<\/td><\/tr><tr><td>eu-central-1-aws.ua-gov[.]cloud<\/td><td>eu-central-1-aws.ukrainesec[.]cloud<\/td><\/tr><tr><td>eu-central-2-aws.amazonsolutions[.]cloud<\/td><td>eu-central-2-aws.aws-ukraine[.]cloud<\/td><\/tr><tr><td>eu-central-2-aws.dep-no[.]cloud<\/td><td>eu-central-2-aws.gov-pl[.]cloud<\/td><\/tr><tr><td>eu-central-2-aws.gov-sk[.]cloud<\/td><td>eu-central-2-aws.mil-be[.]cloud<\/td><\/tr><tr><td>eu-central-2-aws.mil-pl[.]cloud<\/td><td>eu-central-2-aws.mindef-nl[.]cloud<\/td><\/tr><tr><td>eu-central-2-aws.msz-pl[.]cloud<\/td><td>eu-central-2-aws.mzv-sk[.]cloud<\/td><\/tr><tr><td>eu-central-2-aws.presidencia-pt[.]cloud<\/td><td>eu-central-2-aws.regeringskansliet-se[.]cloud<\/td><\/tr><tr><td>eu-central-2-aws.s3-be[.]cloud<\/td><td>eu-central-2-aws.ua-gov[.]cloud<\/td><\/tr><tr><td>eu-central-2-aws.ua-mil[.]cloud<\/td><td>eu-central-2-aws.ukrtelecom[.]cloud<\/td><\/tr><tr><td>eu-east-1-aws.amazonsolutions[.]cloud<\/td><td>eu-east-1-aws.dep-no[.]cloud<\/td><\/tr><tr><td>eu-east-1-aws.gov-sk[.]cloud<\/td><td>eu-east-1-aws.gov-ua[.]cloud<\/td><\/tr><tr><td>eu-east-1-aws.mil-be[.]cloud<\/td><td>eu-east-1-aws.mil-pl[.]cloud<\/td><\/tr><tr><td>eu-east-1-aws.minbuza[.]cloud<\/td><td>eu-east-1-aws.mindef-nl[.]cloud<\/td><\/tr><tr><td>eu-east-1-aws.msz-pl[.]cloud<\/td><td>eu-east-1-aws.mzv-sk[.]cloud<\/td><\/tr><tr><td>eu-east-1-aws.quirinale[.]cloud<\/td><td>eu-east-1-aws.regeringskansliet-se[.]cloud<\/td><\/tr><tr><td>eu-east-1-aws.s3-be[.]cloud<\/td><td>eu-east-1-aws.s3-de[.]cloud<\/td><\/tr><tr><td>eu-east-1-aws.ua-gov[.]cloud<\/td><td>eu-east-1-aws.ua-sec[.]cloud<\/td><\/tr><tr><td>eu-east-1-aws.ukrtelecom[.]cloud<\/td><td>eu-north-1.difesa-it[.]cloud<\/td><\/tr><tr><td>eu-north-1.gov-trust[.]cloud<\/td><td>eu-north-1.gov-ua[.]cloud<\/td><\/tr><tr><td>eu-north-1.gv-at[.]cloud<\/td><td>eu-north-1.mil-be[.]cloud<\/td><\/tr><tr><td>eu-north-1.mil-pl[.]cloud<\/td><td>eu-north-1.mzv-sk[.]cloud<\/td><\/tr><tr><td>eu-north-1.ncfta[.]cloud<\/td><td>eu-north-1.regeringskansliet-se[.]cloud<\/td><\/tr><tr><td>eu-north-1.s3-be[.]cloud<\/td><td>eu-north-1.s3-de[.]cloud<\/td><\/tr><tr><td>eu-north-1.s3-ua[.]cloud<\/td><td>eu-north-1-aws.dep-no[.]cloud<\/td><\/tr><tr><td>eu-north-1-aws.difesa-it[.]cloud<\/td><td>eu-north-1-aws.gov-pl[.]cloud<\/td><\/tr><tr><td>eu-north-1-aws.gov-sk[.]cloud<\/td><td>eu-north-1-aws.mil-be[.]cloud<\/td><\/tr><tr><td>eu-north-1-aws.mil-pl[.]cloud<\/td><td>eu-north-1-aws.minbuza[.]cloud<\/td><\/tr><tr><td>eu-north-1-aws.ncfta[.]cloud<\/td><td>eu-north-1-aws.presidencia-pt[.]cloud<\/td><\/tr><tr><td>eu-north-1-aws.quirinale[.]cloud<\/td><td>eu-north-1-aws.regeringskansliet-se[.]cloud<\/td><\/tr><tr><td>eu-north-1-aws.s3-be[.]cloud<\/td><td>eu-north-1-aws.s3-de[.]cloud<\/td><\/tr><tr><td>eu-north-1-aws.ua-energy[.]cloud<\/td><td>eu-north-1-aws.ua-gov[.]cloud<\/td><\/tr><tr><td>eu-south-1-aws.admin-ch[.]cloud<\/td><td>eu-south-1-aws.dep-no[.]cloud<\/td><\/tr><tr><td>eu-south-1-aws.difesa-it[.]cloud<\/td><td>eu-south-1-aws.gov-pl[.]cloud<\/td><\/tr><tr><td>eu-south-1-aws.gov-trust[.]cloud<\/td><td>eu-south-1-aws.mfa-gov[.]cloud<\/td><\/tr><tr><td>eu-south-1-aws.mil-be[.]cloud<\/td><td>eu-south-1-aws.minbuza[.]cloud<\/td><\/tr><tr><td>eu-south-1-aws.mzv-sk[.]cloud<\/td><td>eu-south-1-aws.quirinale[.]cloud<\/td><\/tr><tr><td>eu-south-1-aws.s3-be[.]cloud<\/td><td>eu-south-1-aws.s3-de[.]cloud<\/td><\/tr><tr><td>eu-south-1-aws.ua-gov[.]cloud<\/td><td>eu-south-2.dep-no[.]cloud<\/td><\/tr><tr><td>eu-south-2.gov-pl[.]cloud<\/td><td>eu-south-2.gov-sk[.]cloud<\/td><\/tr><tr><td>eu-south-2.mil-be[.]cloud<\/td><td>eu-south-2.mil-pl[.]cloud<\/td><\/tr><tr><td>eu-south-2.mindef-nl[.]cloud<\/td><td>eu-south-2.s3-be[.]cloud<\/td><\/tr><tr><td>eu-south-2.s3-de[.]cloud<\/td><td>eu-south-2.s3-esa[.]cloud<\/td><\/tr><tr><td>eu-south-2.s3-nato[.]cloud<\/td><td>eu-south-2.ua-sec[.]cloud<\/td><\/tr><tr><td>eu-south-2.ukrainesec[.]cloud<\/td><td>eu-south-2-aws.amazonsolutions[.]cloud<\/td><\/tr><tr><td>eu-south-2-aws.dep-no[.]cloud<\/td><td>eu-south-2-aws.gov-pl[.]cloud<\/td><\/tr><tr><td>eu-south-2-aws.gov-sk[.]cloud<\/td><td>eu-south-2-aws.mfa-gov[.]cloud<\/td><\/tr><tr><td>eu-south-2-aws.mil-be[.]cloud<\/td><td>eu-south-2-aws.mil-pl[.]cloud<\/td><\/tr><tr><td>eu-south-2-aws.mil-pt[.]cloud<\/td><td>eu-south-2-aws.minbuza[.]cloud<\/td><\/tr><tr><td>eu-south-2-aws.msz-pl[.]cloud<\/td><td>eu-south-2-aws.mzv-sk[.]cloud<\/td><\/tr><tr><td>eu-south-2-aws.ncfta[.]cloud<\/td><td>eu-south-2-aws.quirinale[.]cloud<\/td><\/tr><tr><td>eu-south-2-aws.regeringskansliet-se[.]cloud<\/td><td>eu-south-2-aws.s3-be[.]cloud<\/td><\/tr><tr><td>eu-south-2-aws.s3-de[.]cloud<\/td><td>eu-south-2-aws.s3-esa[.]cloud<\/td><\/tr><tr><td>eu-south-2-aws.s3-nato[.]cloud<\/td><td>eu-south-2-aws.s3-ua[.]cloud<\/td><\/tr><tr><td>eu-south-2-aws.ua-gov[.]cloud<\/td><td>eu-southeast-1-aws.amazonsolutions[.]cloud<\/td><\/tr><tr><td>eu-southeast-1-aws.aws-ukraine[.]cloud<\/td><td>eu-southeast-1-aws.dep-no[.]cloud<\/td><\/tr><tr><td>eu-southeast-1-aws.difesa-it[.]cloud<\/td><td>eu-southeast-1-aws.gov-sk[.]cloud<\/td><\/tr><tr><td>eu-southeast-1-aws.gov-trust[.]cloud<\/td><td>eu-southeast-1-aws.mil-be[.]cloud<\/td><\/tr><tr><td>eu-southeast-1-aws.mil-pl[.]cloud<\/td><td>eu-southeast-1-aws.mindef-nl[.]cloud<\/td><\/tr><tr><td>eu-southeast-1-aws.msz-pl[.]cloud<\/td><td>eu-southeast-1-aws.mzv-cz[.]cloud<\/td><\/tr><tr><td>eu-southeast-1-aws.mzv-sk[.]cloud<\/td><td>eu-southeast-1-aws.quirinale[.]cloud<\/td><\/tr><tr><td>eu-southeast-1-aws.s3-be[.]cloud<\/td><td>eu-southeast-1-aws.s3-de[.]cloud<\/td><\/tr><tr><td>eu-southeast-1-aws.s3-esa[.]cloud<\/td><td>eu-southeast-1-aws.s3-ua[.]cloud<\/td><\/tr><tr><td>eu-southeast-1-aws.ua-energy[.]cloud<\/td><td>eu-southeast-1-aws.ukrainesec[.]cloud<\/td><\/tr><tr><td>eu-west-1.aws-ukraine[.]cloud<\/td><td>eu-west-1.difesa-it[.]cloud<\/td><\/tr><tr><td>eu-west-1.gov-sk[.]cloud<\/td><td>eu-west-1.mil-be[.]cloud<\/td><\/tr><tr><td>eu-west-1.mil-pl[.]cloud<\/td><td>eu-west-1.minbuza[.]cloud<\/td><\/tr><tr><td>eu-west-1.msz-pl[.]cloud<\/td><td>eu-west-1.mzv-sk[.]cloud<\/td><\/tr><tr><td>eu-west-1.regeringskansliet-se[.]cloud<\/td><td>eu-west-1.s3-de[.]cloud<\/td><\/tr><tr><td>eu-west-1.s3-esa[.]cloud<\/td><td>eu-west-1.s3-ua[.]cloud<\/td><\/tr><tr><td>eu-west-1.ua-gov[.]cloud<\/td><td>eu-west-1.ukrtelecom[.]cloud<\/td><\/tr><tr><td>eu-west-1-aws.amazonsolutions[.]cloud<\/td><td>eu-west-1-aws.aws-ukraine[.]cloud<\/td><\/tr><tr><td>eu-west-1-aws.dep-no[.]cloud<\/td><td>eu-west-1-aws.gov-pl[.]cloud<\/td><\/tr><tr><td>eu-west-1-aws.gov-sk[.]cloud<\/td><td>eu-west-1-aws.gov-trust[.]cloud<\/td><\/tr><tr><td>eu-west-1-aws.gov-ua[.]cloud<\/td><td>eu-west-1-aws.mil-be[.]cloud<\/td><\/tr><tr><td>eu-west-1-aws.mil-pl[.]cloud<\/td><td>eu-west-1-aws.minbuza[.]cloud<\/td><\/tr><tr><td>eu-west-1-aws.quirinale[.]cloud<\/td><td>eu-west-1-aws.s3-be[.]cloud<\/td><\/tr><tr><td>eu-west-1-aws.s3-de[.]cloud<\/td><td>eu-west-1-aws.s3-esa[.]cloud<\/td><\/tr><tr><td>eu-west-1-aws.s3-nato[.]cloud<\/td><td>eu-west-1-aws.ua-sec[.]cloud<\/td><\/tr><tr><td>eu-west-1-aws.ukrainesec[.]cloud<\/td><td>eu-west-2-aws.amazonsolutions[.]cloud<\/td><\/tr><tr><td>eu-west-2-aws.dep-no[.]cloud<\/td><td>eu-west-2-aws.difesa-it[.]cloud<\/td><\/tr><tr><td>eu-west-2-aws.gov-pl[.]cloud<\/td><td>eu-west-2-aws.gov-sk[.]cloud<\/td><\/tr><tr><td>eu-west-2-aws.gv-at[.]cloud<\/td><td>eu-west-2-aws.mil-be[.]cloud<\/td><\/tr><tr><td>eu-west-2-aws.mil-pl[.]cloud<\/td><td>eu-west-2-aws.minbuza[.]cloud<\/td><\/tr><tr><td>eu-west-2-aws.mindef-nl[.]cloud<\/td><td>eu-west-2-aws.msz-pl[.]cloud<\/td><\/tr><tr><td>eu-west-2-aws.mzv-sk[.]cloud<\/td><td>eu-west-2-aws.quirinale[.]cloud<\/td><\/tr><tr><td>eu-west-2-aws.s3-be[.]cloud<\/td><td>eu-west-2-aws.s3-de[.]cloud<\/td><\/tr><tr><td>eu-west-2-aws.s3-esa[.]cloud<\/td><td>eu-west-2-aws.s3-nato[.]cloud<\/td><\/tr><tr><td>eu-west-2-aws.s3-ua[.]cloud<\/td><td>eu-west-2-aws.ua-sec[.]cloud<\/td><\/tr><tr><td>eu-west-3.amazonsolutions[.]cloud<\/td><td>eu-west-3.aws-ukraine[.]cloud<\/td><\/tr><tr><td>eu-west-3.mil-be[.]cloud<\/td><td>eu-west-3.mil-pl[.]cloud<\/td><\/tr><tr><td>eu-west-3.minbuza[.]cloud<\/td><td>eu-west-3.mindef-nl[.]cloud<\/td><\/tr><tr><td>eu-west-3.msz-pl[.]cloud<\/td><td>eu-west-3.mzv-sk[.]cloud<\/td><\/tr><tr><td>eu-west-3.presidencia-pt[.]cloud<\/td><td>eu-west-3.s3-be[.]cloud<\/td><\/tr><tr><td>eu-west-3.s3-ua[.]cloud<\/td><td>eu-west-3.ukrainesec[.]cloud<\/td><\/tr><tr><td>eu-west-3.ukrtelecom[.]cloud<\/td><td>eu-west-3-aws.aws-ukraine[.]cloud<\/td><\/tr><tr><td>eu-west-3-aws.dep-no[.]cloud<\/td><td>eu-west-3-aws.difesa-it[.]cloud<\/td><\/tr><tr><td>eu-west-3-aws.gov-pl[.]cloud<\/td><td>eu-west-3-aws.gov-sk[.]cloud<\/td><\/tr><tr><td>eu-west-3-aws.gov-trust[.]cloud<\/td><td>eu-west-3-aws.mil-be[.]cloud<\/td><\/tr><tr><td>eu-west-3-aws.mil-pl[.]cloud<\/td><td>eu-west-3-aws.mil-pt[.]cloud<\/td><\/tr><tr><td>eu-west-3-aws.minbuza[.]cloud<\/td><td>eu-west-3-aws.mindef-nl[.]cloud<\/td><\/tr><tr><td>eu-west-3-aws.msz-pl[.]cloud<\/td><td>eu-west-3-aws.mzv-sk[.]cloud<\/td><\/tr><tr><td>eu-west-3-aws.quirinale[.]cloud<\/td><td>eu-west-3-aws.regeringskansliet-se[.]cloud<\/td><\/tr><tr><td>eu-west-3-aws.s3-be[.]cloud<\/td><td>eu-west-3-aws.s3-ua[.]cloud<\/td><\/tr><tr><td>eu-west-3-aws.ua-mil[.]cloud<\/td><td>us-east-1-aws.mfa-gov[.]cloud<\/td><\/tr><tr><td>us-east-1-aws.s3-ua[.]cloud<\/td><td>us-east-1-aws.ua-gov[.]cloud<\/td><\/tr><tr><td>us-east-1-aws.ua-sec[.]cloud<\/td><td>us-east-2.aws-ukraine[.]cloud<\/td><\/tr><tr><td>us-east-2.gov-ua[.]cloud<\/td><td>us-east-2.ua-sec[.]cloud<\/td><\/tr><tr><td>us-east-2.ukrainesec[.]cloud<\/td><td>us-east-2-aws.gov-ua[.]cloud<\/td><\/tr><tr><td>us-east-2-aws.ua-gov[.]cloud<\/td><td>us-east-2-aws.ukrtelecom[.]cloud<\/td><\/tr><tr><td>us-east-console.aws-ukraine[.]cloud<\/td><td>us-east-console.ua-energy[.]cloud<\/td><\/tr><tr><td>us-west-1.aws-ukraine[.]cloud<\/td><td>us-west-1.ua-energy[.]cloud<\/td><\/tr><tr><td>us-west-1.ua-gov[.]cloud<\/td><td>us-west-1.ukrtelecom[.]cloud<\/td><\/tr><tr><td>us-west-1-amazon.ua-energy[.]cloud<\/td><td>us-west-1-amazon.ua-mil[.]cloud<\/td><\/tr><tr><td>us-west-1-amazon.ua-sec[.]cloud<\/td><td>us-west-1-aws.gov-ua[.]cloud<\/td><\/tr><tr><td>us-west-2.gov-ua[.]cloud<\/td><td>us-west-2.ua-energy[.]cloud<\/td><\/tr><tr><td>us-west-2.ua-sec[.]cloud<\/td><td>us-west-2-aws.mfa-gov[.]cloud<\/td><\/tr><tr><td>us-west-2-aws.s3-ua[.]cloud<\/td><td>us-west-2-aws.ua-energy[.]cloud<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"references\">References<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/cert.gov.ua\/article\/6281076\">https:\/\/cert.gov.ua\/article\/6281076<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/aws.Alpha XR\/blogs\/security\/amazon-identified-internet-domains-abused-by-apt29\/\">https:\/\/aws.Alpha XR\/blogs\/security\/amazon-identified-internet-domains-abused-by-apt29\/<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/media.defense.gov\/2024\/Oct\/09\/2003562611\/-1\/-1\/0\/CSA-UPDATE-ON-SVR-CYBER-OPS.PDF\">https:\/\/media.defense.gov\/2024\/Oct\/09\/2003562611\/-1\/-1\/0\/CSA-UPDATE-ON-SVR-CYBER-OPS.PDF<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/09\/27\/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor\/?msockid=392e4194f0f26165030055c3f1de6080\">https:\/\/www.microsoft.com\/security\/blog\/2021\/09\/27\/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor\/?msockid=392e4194f0f26165030055c3f1de6080<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/08\/24\/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone\/?msockid=392e4194f0f26165030055c3f1de6080\">https:\/\/www.microsoft.com\/security\/blog\/2022\/08\/24\/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone\/?msockid=392e4194f0f26165030055c3f1de6080<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"learn-more\">Learn more<\/h2>\n\n\n\n<p>For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog:&nbsp;<a href=\"https:\/\/aka.ms\/threatintelblog\">https:\/\/aka.ms\/threatintelblog<\/a>.<\/p>\n\n\n\n<p>To get notified about new publications and to join discussions on social media, follow us on LinkedIn at <a href=\"https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence\">https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence<\/a>, and on X (formerly Twitter) at&nbsp;<a href=\"https:\/\/twitter.com\/MsftSecIntel\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/twitter.com\/MsftSecIntel<\/a>.<\/p>\n\n\n\n<p>To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: <a href=\"https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence\">https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Since October 22, 2024, Microsoft Threat Intelligence has observed Russian threat actor Midnight Blizzard sending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors. This activity is ongoing, and Microsoft will continue to investigate and provide updates as available. Based on our investigation of previous Midnight [&hellip;]<\/p>\n","protected":false},"author":188,"featured_media":136298,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3663],"topic":[3687],"products":[3690,3694,3698,3693,3726],"threat-intelligence":[3727,3738],"tags":[3918,3828],"coauthors":[3380],"class_list":["post-136186","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-research","topic-threat-intelligence","products-microsoft-defender","products-microsoft-defender-for-endpoint","products-microsoft-defender-threat-intelligence","products-microsoft-defender-xdr","products-microsoft-sentinel","threat-intelligence-attacker-techniques-tools-and-infrastructure","threat-intelligence-threat-actors","tag-blizzard","tag-midnight-blizzard-nobelium","review-flag-1694638265-576","review-flag-1694638271-781","review-flag-1-1694638265-354","review-flag-2-1694638266-864","review-flag-3-1694638266-241","review-flag-lever-1694638263-909","review-flag-machi-1694638272-641","review-flag-new-1694638263-340"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"Since October 22, 2024, Microsoft Threat Intelligence has observed Russian threat actor Midnight Blizzard sending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors. This activity is ongoing, and Microsoft will continue to investigate and provide updates as available. Based on our investigation of previous Midnight [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2024-10-29T19:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-11-08T15:06:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/Midnight-Blizzard.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1875\" \/>\n\t<meta property=\"og:image:height\" content=\"1055\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Microsoft Threat Intelligence\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Threat Intelligence\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-threat-intelligence\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Threat Intelligence\"}],\"headline\":\"Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files\",\"datePublished\":\"2024-10-29T19:00:00+00:00\",\"dateModified\":\"2024-11-08T15:06:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/\"},\"wordCount\":3374,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/Screenshot-2024-10-31-at-12.13.59\u202fPM.webp\",\"keywords\":[\"Blizzard\",\"Midnight Blizzard (NOBELIUM)\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/\",\"name\":\"Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/Screenshot-2024-10-31-at-12.13.59\u202fPM.webp\",\"datePublished\":\"2024-10-29T19:00:00+00:00\",\"dateModified\":\"2024-11-08T15:06:14+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/Screenshot-2024-10-31-at-12.13.59\u202fPM.webp\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/Screenshot-2024-10-31-at-12.13.59\u202fPM.webp\",\"width\":3158,\"height\":1778,\"caption\":\"Midnight Blizzard icon\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/","og_locale":"en_US","og_type":"article","og_title":"Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files | Microsoft Security Blog","og_description":"Since October 22, 2024, Microsoft Threat Intelligence has observed Russian threat actor Midnight Blizzard sending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors. This activity is ongoing, and Microsoft will continue to investigate and provide updates as available. Based on our investigation of previous Midnight [&hellip;]","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/","og_site_name":"Microsoft Security Blog","article_published_time":"2024-10-29T19:00:00+00:00","article_modified_time":"2024-11-08T15:06:14+00:00","og_image":[{"width":1875,"height":1055,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/Midnight-Blizzard.png","type":"image\/png"}],"author":"Microsoft Threat Intelligence","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Microsoft Threat Intelligence","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-threat-intelligence\/","@type":"Person","@name":"Microsoft Threat Intelligence"}],"headline":"Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files","datePublished":"2024-10-29T19:00:00+00:00","dateModified":"2024-11-08T15:06:14+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/"},"wordCount":3374,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/Screenshot-2024-10-31-at-12.13.59\u202fPM.webp","keywords":["Blizzard","Midnight Blizzard (NOBELIUM)"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/","name":"Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/Screenshot-2024-10-31-at-12.13.59\u202fPM.webp","datePublished":"2024-10-29T19:00:00+00:00","dateModified":"2024-11-08T15:06:14+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/Screenshot-2024-10-31-at-12.13.59\u202fPM.webp","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/Screenshot-2024-10-31-at-12.13.59\u202fPM.webp","width":3158,"height":1778,"caption":"Midnight Blizzard icon"},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/29\/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/136186"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/188"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=136186"}],"version-history":[{"count":16,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/136186\/revisions"}],"predecessor-version":[{"id":136388,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/136186\/revisions\/136388"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/136298"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=136186"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=136186"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=136186"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=136186"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=136186"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=136186"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=136186"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}