• The threat actor injects a malicious link to the email allegedly from a legitimate source
  • A decoy document in the email leads to a malicious DLL providing access to the victim’s device
  • The threat actor behind the attack is also responsible for the Solar Winds hack

Microsoft has warned organizations about the presence of an active malicious email campaign disguising itself as a US-based development organization.

On May 26, Microsoft issued a security alert and announced ongoing security research about an email-based campaign putting the public and large organizations at risk. The campaign is a wide-scale malicious email attack uncovered by the Microsoft Threat Intelligence Center (MSTIC).

In a blog post, Microsoft identified NOBELIUM as the threat actor behind the attack. NOBELIUM is also responsible for the SUNBURST backdoor, TEARDROP malware and GoldMax malware that ravaged the Solar Winds.

The malicious email campaign works by sending email seemingly coming from the USAID Constant Contact legitimate service. The threat actors inject the malicious link to the mailing service’s URL.

"This address (which varies for each recipient) ends in ... and a Reply-To address of was observed."

Once the email is clicked, a decoy document is delivered bearing a shortcut with the Native Zone, Cobalt Strike Beacon loader as well as a malicious DLL. Running the shortcut provides NOBELIUM with access to the compromised devices. Threat actors can then infiltrate the machine’s data and inject more malware.

Due to their high volume, the automated email threat detection system managed to block the malicious emails. However, Microsoft believes that the public is still not safe. The malicious emails may have been tagged as spam but the company sees the possibility that some of the emails were sent prior to detection.

Based on track records, NOBELIUM targets think tanks, military, IT service providers, health technology and research, telecommunications providers and other government organizations and non-government organizations (NGOs). The threat actor targeted 150 organizations with approximately 3,000 individuals, ZD Net reported.

The software giant has been monitoring the evolution of the campaign since January. As it continues to increase its ability to evade detection, on May 25, it leveraged on a legitimate mass-email service as another platform.

Microsoft encourages organizations to be vigilant and conduct an investigation to monitor any similar occurrences. The company has also provided a list of actions that potential victims should take.

“We continue to see an increase in sophisticated and nation-state-sponsored attacks and, as part of our ongoing threat research and efforts to protect customers, we will continue to provide guidance to the security community on how to secure against and respond to these multi-dimensional attacks."

Microsoft says it is retiring its Internet Explorer browser
Microsoft says it is retiring its Internet Explorer browser AFP / Eva HAMBACH