Russian spies use remote desktop protocol files in unusual mass phishing drive

Microsoft has reported an ongoing mass phishing campaign attributed to the Russian intelligence agency SVR, specifically the Midnight Blizzard group. This campaign, which began on October 22, targets a wide range of organizations, including governments, NGOs, and academic institutions, using a novel technique involving remote desktop protocol (RDP) configuration files as attachments in phishing emails. Unlike their typical highly targeted approach, Midnight Blizzard has cast a broader net, sending emails to thousands across more than 100 organizations. The RDP files, if executed, establish a connection to a server controlled by the attackers, potentially exposing sensitive information and allowing for further malware installation. The emails were primarily in Ukrainian and aimed at organizations in the UK, Europe, Australia, and Japan, often impersonating Microsoft or other cloud service providers to enhance credibility. The campaign may have been in planning since at least August, and while the success rate of these attacks remains unclear, they align with Midnight Blizzard's history of targeting sensitive data for intelligence purposes. This incident follows previous breaches attributed to the same group, including a significant breach of Microsoft’s own systems earlier this year.

- Microsoft reports a mass phishing campaign by Russian spies using RDP files.

- The campaign targets a wide range of organizations, deviating from the group's usual tactics.

- Phishing emails impersonate Microsoft and other cloud providers to gain trust.

- The RDP files can expose sensitive information and facilitate malware installation.

- The campaign may have been planned since at least August 2024.