Amazon’s threat intelligence team has disrupted a watering hole campaign traced to APT29, also known as Midnight Blizzard, a cyber unit tied to Russia’s Foreign Intelligence Service. The attackers manipulated Microsoft’s authentication features to carry out the intrusion.
Visitors who visited the compromised sites risked being silently redirected to attacker-controlled infrastructure, with the campaign appearing to focus on Microsoft 365 credentials through abuse of the device code authentication flow.
APT29 gained access to trusted websites and planted heavily obfuscated JavaScript that redirected about 10% of visitors to attacker-run domains, including findcloudflare[.]com and cloudflare[.]redirectpartners[.]com, both crafted to resemble Cloudflare verification pages. Once redirected, users were pushed into Microsoft’s device code authentication process, unknowingly granting access to attacker-operated devices. To avoid exposure, the group used techniques like base64 encoding, randomized scripts, and cookies that blocked repeat redirections, while quickly rotating domains and shifting to server-side redirects whenever security controls intervened.
Source amazon
Through these tactics, attackers gained a pathway to unauthorized access to Microsoft accounts along with the information stored in them. Amazon confirmed that its own infrastructure and services were never breached.
Amazon responded by isolating the impacted EC2 instances and coordinating with Cloudflare and Microsoft to take down the attacker’s infrastructure, and continuing to monitor as APT29 attempted to reestablish the campaign through a different cloud provider.
Security researchers advise users to strengthen account security with multi-factor authentication, carefully review device authorization prompts, and avoid carrying out commands delivered through web pages, a method often exploited in these schemes. Administrators are urged to disable device code flows where they are not essential, enforce conditional access rules, and keep watch for suspicious or unexpected device authorizations.
The operation highlights how APT29 continues its credential theft techniques. In late 2024, Amazon disrupted an RDP phishing scheme in which the group impersonated AWS, and in mid-2025 Google reported its abuse of application-specific passwords to infiltrate accounts tied to academics and government critics. The current wave marks a shift from highly targeted spear-phishing toward scalable campaigns that exploit trusted authentication flows rather than relying on custom malware.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
