Ambitious, suspected Chinese hackers with a slew of goals — stealing intellectual property, mining intelligence on national security and trade, developing avenues for future advanced cyberattacks — have been setting up shop inside U.S. target networks for exceptionally long stretches of time, in a breach that the researchers who uncovered it said could present problems for years to come.
Mandiant and Google Threat Intelligence Group (GTIG) researchers described the campaign as exceptionally sophisticated, stealthy and complex, calling those behind it a “next-level threat.” But they don’t yet have a full handle on who the hackers are behind the malware they’ve dubbed Brickstorm, or how far it stretches. A blog post the company posted Wednesday sheds light on the group.
The primary targets are legal services organizations and tech companies that provide security services, the researchers said. But the hackers aren’t limiting their interest to the primary targets, since they’ve used that access to infiltrate “downstream” customers. The researchers declined to describe those downstream customers, or say whether U.S. federal agencies are among those targeted. A great many of them don’t know yet that they’re victims, they said.
By stealing intellectual property from security-as-a-service (SaaS) firms, the hackers aim to find future zero-day vulnerabilities, a kind of vulnerability that is previously unknown and unpatched and thus highly prized, in order to enable more attacks down the line, the researchers from Mandiant and its parent company Google said.
The researchers declined to comment on possible Chinese government agency connections. But they see overlap with Chinese hacking groups like the one they’ve labeled UNC5221 — perhaps best known for exploiting Ivanti flaws, and a group that Mandiant and GTIIG described as the “most prevalent” Chinese-centered threat group right now — and the one Microsoft calls Silk Typhoon, which researchers warned recently has been ramping up its attacks this year, with targets including IT supply chains and the cloud. Silk Typhoon is believed to be Chinese government-sponsored.
The company has also developed a tool for potential victims to discover if they’ve been affected by Brickstorm activity, which Google experts indicated is a distinct possibility that could impact scores of organizations over the coming weeks.
“We have no doubt that organizations will use our tools to hunt for this adversary, and they will find evidence of compromise in their environments,” Charles Carmakal, chief technology officer at Mandiant Consulting, told reporters briefed on the blog post. “And it may be active compromises, it might be historic compromises, but many of our organizations are going to discover that they were dealing with this adversary.”
Sneaky, sneaky
The campaign’s average “dwell time” is 400 days, they said, compared to dwell times more commonly measured in days or weeks.
Several features obscure Brickstorm activity. “It’s very hard to detect them and to investigate them,” said Austin Larsen, principal threat analyst at GTIG.
The hackers target systems that don’t support defenses for finding and tracking threats on endpoints, such as laptops or cell phones. Examples of target systems that don’t support that kind of endpoint detection and response (EDR) include email security gateways or vulnerability scanners. They consistently target VMware vCenter and ESXi hosts, according to the blog post.
The researchers also never see overlap between the internet protocols of the attackers between victims, Larsen said, or another way of identifying attackers: “The hashes when they land on this are different for essentially every system.”
Brickstorm attackers also “clean up after themselves” at times, Carmakal said. “Brickstorm may not exist in a victim environment today, but it could have been there for a year and a half. It might have been deleted back in April this year, back in January this year,” he said.
What they want
Brickstorm also isn’t just about one goal. “It’s an intelligence operation, but not just an intelligence operation,” said John Hultquist, chief analyst at GTIG. “This is a long-term play.”
The hackers are primarily compromising victims through zero-days, but they’re aiming to uncover new ones, too, by going through companies’ proprietary source code. That gives them multiple ways to penetrate new victim networks.
The Brickstorm hackers “hit the SaaS providers, who either hold data for people, or they have some connectivity to downstream,” Hultquist said. Or he said the group can “get a hold of the technology source code and leverage that source code information to gain access or to build out exploits in that technology, which would then give [them] basically a skeleton key to that technology.”
But its victims can be even more precise than that. “As part of this campaign, we observed in some organizations — including some legal organizations — we observed the actor searching the emails of very specific individuals,” Larsen said. The hackers have focused on collecting espionage on international trade and national security from those organizations.
Google has been tracking Brickstorm for a while now. This spring, Belgian cybersecurity company NVISO also shined the spotlight on Brickstorm variants spying on European businesses. Google’s latest blog post identifies Brickstorm activity as far more extensive than previously described.
The response
Mandiant and GTIG have notified U.S. federal agencies and international governments about the campaign.
The tool is a scanner script that can be used on Unix systems, even if YARA (a common security tool used to find and identify malware) isn’t installed. This script is designed to do the same type of search as a specific YARA rule by looking for certain words and patterns that are unique to the Brickstorm backdoor.
“The most important thing here is, if you find Brickstorm, you really need to do a very thorough enterprise investigation, because the adversary that’s dropping this is a very, very advanced adversary that is known for stealing intellectual property from organizations,” Carmakal said. “It’s known for using access from victim companies to get into downstream customer environments.”
It’s all a “very, very significant threat campaign [that’s] very, very hard to defend against in tech,” Carmakal said.
Updated 9/24/25: with additional information about past Brickstorm reporting.
Void Blizzard is a new threat actor Microsoft Threat Intelligence has observed conducting espionage operations primarily targeting organizations that are important to Russian government objectives. These include organizations in government, defense, transportation, media, NGOs, and healthcare, especially in Europe and North America. They often use stolen sign-in details that they likely buy from online marketplaces to gain access to organizations. Once inside, they steal large amounts of emails and files. In April 2025, Microsoft Threat Intelligence observed Void Blizzard begin using more direct methods to steal passwords, such as sending fake emails designed to trick people into giving away their login information.
We thank our partners at Netherlands General Intelligence and Security Service (AIVD) and the Netherlands Defence Intelligence and Security Service (MIVD) for the collaboration on investigating Void Blizzard (also known as LAUNDRY BEAR). You can read their statement here. We also thank our partners at the US Federal Bureau of Investigation for their continued collaboration on investigating Void Blizzard targeting.
Microsoft Threat Intelligence Center has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard (LAUNDRY BEAR), who we assess with high confidence is Russia-affiliated and has been active since at least April 2024. While Void Blizzard has a global reach, their cyberespionage activity disproportionately targets NATO member states and Ukraine, indicating that the actor is likely collecting intelligence to help support Russian strategic objectives. In particular, the threat actor’s prolific activity against networks in critical sectors poses a heightened risk to NATO member states and allies to Ukraine in general.
Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to the Russian government, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America. The threat actor uses stolen credentials—which are likely procured from commodity infostealer ecosystems—and collects a high volume of email and files from compromised organizations.
In April 2025, Microsoft Threat Intelligence Center observed Void Blizzard evolving their initial access techniques to include targeted spear phishing for credential theft. While Void Blizzard’s tactics, techniques, and procedures (TTPs) are not unique among advanced persistent threat actors or even Russian nation state-sponsored groups, the widespread success of their operations underscores the enduring threat from even unsophisticated TTPs when leveraged by determined actors seeking to collect sensitive information.
In this report, we share our analysis of Void Blizzard’s targeting and TTPs, with the goal of enabling the broader community to apply specific detections and mitigation guidance to disrupt and protect against Void Blizzard’s operations. We extend our gratitude to our partners at the Netherlands General Intelligence and Security Service (AIVD), the Netherlands Defence Intelligence and Security Service (MIVD), and the US Federal Bureau of Investigation for their collaboration in investigating and raising awareness on Void Blizzard activity and tooling to help organizations disrupt and defend against this threat actor.
Void Blizzard targets
Void Blizzard primarily targets NATO member states and Ukraine. Many of the compromised organizations overlap with past—or, in some cases, concurrent—targeting by other well-known Russian state actors, including Forest Blizzard, Midnight Blizzard, and Secret Blizzard. This intersection suggests shared espionage and intelligence collection interests assigned to the parent organizations of these threat actors. Since mid-2024, Microsoft Threat Intelligence has observed Void Blizzard targeting the following industry verticals, many resulting in successful compromises:
Communications/Telecommunications
Defense Industrial Base
Healthcare
Education
Government agencies and services
Information technology
Intergovernmental organizations
Media
NGOs
Transportation
Void Blizzard regularly targets government organizations and law enforcement agencies, particularly in NATO member states and especially in countries that provide direct military or humanitarian support to Ukraine. Within Ukraine, Void Blizzard has successfully compromised organizations in multiple sectors, including education, transportation, and defense. In October 2024, Void Blizzard compromised several user accounts at a Ukrainian aviation organization that had been previously targeted by Russian General Staff Main Intelligence Directorate (GRU) actor Seashell Blizzard in 2022. This targeting overlap reflects Russia’s long-standing interest in this organization and, more broadly, in aviation-related organizations since Russia’s invasion of Ukraine in 2022. In 2023, another GRU actor, Forest Blizzard, targeted a prominent aviation organization in Ukraine, and since at least August 2024, it has conducted increasing password spray attacks against several NATO member states’ air traffic control providers.
Tools, tactics, and procedures
Initial access
Void Blizzard conducts opportunistic yet targeted high-volume cyberoperations against targets of intelligence value to the Russian government. Their operations predominately leverage unsophisticated techniques for initial access such as password spray and using stolen authentication credentials. Microsoft assesses that Void Blizzard procures cookies and other credentials through criminal ecosystems. These credentials are then used to gain access to Exchange and sometimes SharePoint Online for information collection.
In April 2025, we identified a Void Blizzard adversary-in-the-middle (AitM) spear phishing campaign that targeted over 20 NGO sector organizations in Europe and the United States. The threat actor used a typosquatted domain to spoof the Microsoft Entra authentication portal. Use of a typosquatted domain to spoof Microsoft Entra authentication was a newly observed initial access tactic for this threat actor. This new tactic suggests that Void Blizzard is augmenting their opportunistic but focused access operations with a more targeted approach, increasing the risk for organizations in critical sectors.
In this campaign, the threat actor posed as an organizer from the European Defense and Security Summit and sent emails containing messages with a PDF attachment that lured targets with a fake invitation to the Summit.
Figure 1. Phishing email body
The attachment contained a malicious QR code that redirected to Void Blizzard infrastructure micsrosoftonline[.]com, which hosts a credential phishing page spoofing the Microsoft Entra authentication page. We assess that Void Blizzard is using the open-source attack framework Evilginx to conduct the AitM phishing campaign and steal authentication data, including the input username and password and any cookies generated by the server. Evilginx, publicly released in 2017, was the first widely available phishing kit with AitM capabilities.
Figure 2. PDF attachment with malicious QR codeFigure 3. Credential phishing page on actor infrastructure
Post-compromise activity
Despite the lack of sophistication in their initial access methods, Void Blizzard has been effective in gaining access to and collecting information from compromised organizations in critical sectors.
After gaining initial access, Void Blizzard abuses legitimate cloud APIs, such as Exchange Online and Microsoft Graph, to enumerate users’ mailboxes, including any shared mailboxes, and cloud-hosted files. Once accounts are successfully compromised, the actor likely automates the bulk collection of cloud-hosted data (primarily email and files) and any mailboxes or file shares that the compromised user can access, which can include mailboxes and folders belonging to other users who have granted other users read permissions.
In a small number of Void Blizzard compromises, Microsoft Threat Intelligence has also observed the threat actor accessing Microsoft Teams conversations and messages via the Microsoft Teams web client application. The threat actor has also in some cases enumerated the compromised organization’s Microsoft Entra ID configuration using the publicly available AzureHound tool to gain information about the users, roles, groups, applications, and devices belonging to that tenant.
Mitigation and protection guidance
Microsoft Threat Intelligence recommends organizations that are most likely at risk, primarily those in critical sectors including government and defense, to implement the following recommendations to mitigate against Void Blizzard activity:
Hardening identity and authentication
Implement a sign-in risk policy to automate response to risky sign-ins. A sign-in risk represents the probability that a given authentication request isn’t authorized by the identity owner. A sign-in risk-based policy can be implemented by adding a sign-in risk condition to Conditional Access policies that evaluate the risk level of a specific user or group. Based on the risk level (high/medium/low), a policy can be configured to block access or force multi-factor authentication.
For regular activity monitoring, use Risky sign-in reports, which surface attempted and successful user access activities where the legitimate owner might not have performed the sign-in.
Require multifactor authentication (MFA). While certain attacks attempt to circumvent MFA, implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats.
Centralize your organization’s identity management into a single platform. If your organization is a hybrid environment, integrate your on-premises directories with your cloud directories. If your organization is using a third-party for identity management, ensure this data is being logged in a SIEM or connected to Microsoft Entra to fully monitor for malicious identity access from a centralized location. The added benefits to centralizing all identity data is to facilitate implementation of Single Sign On (SSO) and provide users with a more seamless authentication process, as well as configure Microsoft Entra ID’s machine learning models to operate on all identity data, thus learning the difference between legitimate access and malicious access quicker and easier. It is recommended to synchronize all user accounts except administrative and high privileged ones when doing this to maintain a boundary between the on-premises environment and the cloud environment, in case of a breach.
Manage mailbox auditing to ensure actions performed by mailbox owners, delegates, and admins are automatically logged. New mailboxes should already have this feature turned on by default.
If a breach or compromise via commodity info stealer is suspected, ensure that any accounts that may have been accessed by that machine have their credentials rotated in addition to removing the malware. Given the widespread use of infostealers in attacks, organizations should immediately respond to infostealer activity and mitigate the risk of credential theft to prevent follow-on malicious activity.
Conduct an audit search in the Microsoft Graph API for anomalous activity.
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
Microsoft Defender for Endpoint
The following alert indicates threat actor activity related to Void Blizzard. Note, however, that this alert can be also triggered by Void Blizzard activity that is not related to the activity covered in this report.
Void Blizzard activity
The following alerts might indicate credential theft activity related to Void Blizzard utilizing commodity information stealers or conducting password spraying techniques. Note, however, that these alerts can be also triggered by unrelated threat activity.
Information stealing malware activity
Password spraying
Microsoft Defender for Identity
The following Microsoft Defender for Identity alerts can indicate associated threat activity. Note, however, that these alerts can be also triggered by unrelated threat activity.
Password Spray
Unfamiliar Sign-in properties
Atypical travel
Suspicious behavior: Impossible travel activity
Microsoft Defender for Cloud Apps
The following Microsoft Defender for Cloud Apps alerts can indicate associated threat activity. Note, however, that these alerts can be also triggered by unrelated threat activity.
Impossible travel
Activity from suspicious IP addresses
Unusual activities (by user)
Microsoft Defender for Cloud
The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.
AzureHound tool invocation detected
Communication with possible phishing domain
Communication with suspicious domain identified by threat intelligence
Microsoft Entra ID Protection
The following Microsoft Entra ID Protection risk detections inform Entra ID user risk events and can indicate associated threat activity, including unusual user activity consistent with known attack patterns identified by Microsoft Threat Intelligence research. Note, however, that these alerts can be also triggered by unrelated threat activity.
Attacker in the Middle (RiskEventType: attackerinTheMiddle)
Activity from Anonymous IP address (RiskEventType: anonymizedIPAddress)
Microsoft Entra threat intelligence (sign-in): (RiskEventType: investigationsThreatIntelligence)
Suspicious API Traffic (RiskEventType: suspiciousAPITraffic)
Microsoft Security Copilot
Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:
Incident investigation
Microsoft User analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment
Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.
Threat intelligence reports
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.
Microsoft Defender Threat Intelligence
Void Blizzard
Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.
Hunting queries
Microsoft Defender XDR
Microsoft Defender XDR customers can find related Void Blizzard spear phishing activity related to this threat in their networks by running the following queries.
Possible phishing email targets
The following query can help identify possible email targets of Void Blizzard’s spear phishing attempts
The Microsoft blog Web Shell Threat Hunting with Azure Sentinel provides hunting queries and techniques for Sentinel-specific threat hunting. Several hunting queries are also available below.
NOTE: Microsoft Sentinel customers can use the following queries to detect phishing attempts and email exfiltration attempts via Graph API. While these queries are not specific to threat actors, they can help you stay vigilant and safeguard your organization from phishing attacks. These queries search for a week’s worth of events. To explore up to 30 days’ worth of raw data to inspect events in your network and locate potentially related indicators for more than a week, go to the Advanced hunting page > Query tab, select the calendar dropdown menu to update your query to hunt for the Last 30 days.
If a query provides high value insights into possible malicious or otherwise anomalous behavior, you can create a custom detection rule based on that query and surface those insights as custom alerts. To do this in the Defender XDR portal, run the query in the Advanced hunting page and select Create detection rule. To do this in the Sentinel portal, use hunting capabilities to run and view the query’s results, then select New alert rule > Create Microsoft Sentinel alert.
Campaign with suspicious keywords
In this detection, we track emails with suspicious keywords in subjects.
let PhishingKeywords = ()
{pack_array("account", "alert", "bank", "billing", "card", "change", "confirmation","login", "password", "mfa", "authorize", "authenticate", "payment", "urgent", "verify", "blocked");};
EmailEvents
| where Timestamp > ago(1d)
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| where isempty(SenderObjectId)
| where Subject has_any (PhishingKeywords())
Determine successfully delivered phishing emails to Inbox/Junk folder
This query identifies threats which got successfully delivered to Inbox/Junk folder.
This content is employed to correlate with Microsoft Defender XDR phishing-related alerts. It focuses on instances where a user successfully connects to a phishing URL from a non-Microsoft network device and subsequently makes successful sign-in attempts from the phishing IP address.
let Alert_List= dynamic([
"Phishing link click observed in Network Traffic",
"Phish delivered due to an IP allow policy",
"A potentially malicious URL click was detected",
"High Risk Sign-in Observed in Network Traffic",
"A user clicked through to a potentially malicious URL",
"Suspicious network connection to AitM phishing site",
"Messages containing malicious entity not removed after delivery",
"Email messages containing malicious URL removed after delivery",
"Email reported by user as malware or phish",
"Phish delivered due to an ETR override",
"Phish not zapped because ZAP is disabled"]);
SecurityAlert
| where AlertName in~ (Alert_List)
//Findling Alerts which has the URL
| where Entities has "url"
//extracting Entities
| extend Entities = parse_json(Entities)
| mv-apply Entity = Entities on
(
where Entity.Type == 'url'
| extend EntityUrl = tostring(Entity.Url)
)
| summarize
Url=tostring(tolower(take_any(EntityUrl))),
AlertTime= min(TimeGenerated),
make_set(SystemAlertId, 100)
by ProductName, AlertName
// matching with 3rd party network logs and 3p Alerts
| join kind= inner (CommonSecurityLog
| where DeviceVendor has_any ("Palo Alto Networks", "Fortinet", "Check Point", "Zscaler")
| where DeviceProduct startswith "FortiGate" or DeviceProduct startswith "PAN" or DeviceProduct startswith "VPN" or DeviceProduct startswith "FireWall" or DeviceProduct startswith "NSSWeblog" or DeviceProduct startswith "URL"
| where DeviceAction != "Block"
| where isnotempty(RequestURL)
| project
3plogTime=TimeGenerated,
DeviceVendor,
DeviceProduct,
Activity,
DestinationHostName,
DestinationIP,
RequestURL=tostring(tolower(RequestURL)),
MaliciousIP,
SourceUserName=tostring(tolower(SourceUserName)),
IndicatorThreatType,
ThreatSeverity,
ThreatConfidence,
SourceUserID,
SourceHostName)
on $left.Url == $right.RequestURL
// matching successful Login from suspicious IP
| join kind=inner (SigninLogs
//filtering the Successful Login
| where ResultType == 0
| project
IPAddress,
SourceSystem,
SigniningTime= TimeGenerated,
OperationName,
ResultType,
ResultDescription,
AlternateSignInName,
AppDisplayName,
AuthenticationRequirement,
ClientAppUsed,
RiskState,
RiskLevelDuringSignIn,
UserPrincipalName=tostring(tolower(UserPrincipalName)),
Name = tostring(split(UserPrincipalName, "@")[0]),
UPNSuffix =tostring(split(UserPrincipalName, "@")[1]))
on $left.DestinationIP == $right.IPAddress and $left.SourceUserName == $right.UserPrincipalName
| where SigniningTime between ((AlertTime - 6h) .. (AlertTime + 6h)) and 3plogTime between ((AlertTime - 6h) .. (AlertTime + 6h))
Phishing link click observed in network traffic
The purpose of this content is to identify successful phishing links accessed by users. Once a user clicks on a phishing link, we observe successful network activity originating from non-Microsoft network devices.
//Finding MDO Security alerts and extracting the Entities user, Domain, Ip, and URL.
let Alert_List= dynamic([
"Phishing link click observed in Network Traffic",
"Phish delivered due to an IP allow policy",
"A potentially malicious URL click was detected",
"High Risk Sign-in Observed in Network Traffic",
"A user clicked through to a potentially malicious URL",
"Suspicious network connection to AitM phishing site",
"Messages containing malicious entity not removed after delivery",
"Email messages containing malicious URL removed after delivery",
"Email reported by user as malware or phish",
"Phish delivered due to an ETR override",
"Phish not zapped because ZAP is disabled"]);
SecurityAlert
|where ProviderName in~ ("Office 365 Advanced Threat Protection", "OATP")
| where AlertName in~ (Alert_List)
//extracting Alert Entities
| extend Entities = parse_json(Entities)
| mv-apply Entity = Entities on
(
where Entity.Type == 'account'
| extend EntityUPN = iff(isempty(Entity.UserPrincipalName), tostring(strcat(Entity.Name, "@", tostring (Entity.UPNSuffix))), tostring(Entity.UserPrincipalName))
)
| mv-apply Entity = Entities on
(
where Entity.Type == 'url'
| extend EntityUrl = tostring(Entity.Url)
)
| summarize AccountUpn=tolower(tostring(take_any(EntityUPN))),Url=tostring(tolower(take_any(EntityUrl))),AlertTime= min(TimeGenerated)by SystemAlertId, ProductName
// filtering 3pnetwork devices
| join kind= inner (CommonSecurityLog
| where DeviceVendor has_any ("Palo Alto Networks", "Fortinet", "Check Point", "Zscaler")
| where DeviceAction != "Block"
| where DeviceProduct startswith "FortiGate" or DeviceProduct startswith "PAN" or DeviceProduct startswith "VPN" or DeviceProduct startswith "FireWall" or DeviceProduct startswith "NSSWeblog" or DeviceProduct startswith "URL"
| where isnotempty(RequestURL)
| where isnotempty(SourceUserName)
| extend SourceUserName = tolower(SourceUserName)
| project
3plogTime=TimeGenerated,
DeviceVendor,
DeviceProduct,
Activity,
DestinationHostName,
DestinationIP,
RequestURL=tostring(tolower(RequestURL)),
MaliciousIP,
Name = tostring(split(SourceUserName,"@")[0]),
UPNSuffix =tostring(split(SourceUserName,"@")[1]),
SourceUserName,
IndicatorThreatType,
ThreatSeverity,AdditionalExtensions,
ThreatConfidence)on $left.Url == $right.RequestURL and $left.AccountUpn == $right.SourceUserName
// Applied the condition where alert trigger 1st and then the 3p Network activity execution
| where AlertTime between ((3plogTime - 1h) .. (3plogTime + 1h))
Suspicious URL clicked
This query correlates Microsoft Defender for Office 365 signals and Microsoft Entra ID identity data to find the relevant endpoint event BrowerLaunchedToOpen in Microsoft Defender ATP. This event reflects relevant clicks on the malicious URL in the spear phishing email recognized by Microsoft Defender for Office 365.
// Some URLs are wrapped with SafeLinks
// Let's get the unwrapped URL and clicks
AlertInfo
| where ServiceSource =~ "Microsoft Defender for Office 365"
| join (
AlertEvidence
| where EntityType =="Url"
| project AlertId, RemoteUrl
)
on AlertId
| join (
AlertEvidence
| where EntityType =="MailMessage"
| project AlertId, NetworkMessageId
)
on AlertId
// Get the unique NetworkMessageId for the email containing the Url
| distinct RemoteUrl, NetworkMessageId
| join EmailEvents on NetworkMessageId
// Get the email RecipientEmailAddress and ObjectId from the email
| distinct RemoteUrl, NetworkMessageId, RecipientEmailAddress , RecipientObjectId
| join kind = inner IdentityInfo on $left.RecipientObjectId == $right.AccountObjectId
// get the UserSid of the Recipient
| extend OnPremSid = AccountSID
| distinct RemoteUrl, NetworkMessageId, RecipientEmailAddress , RecipientObjectId, OnPremSid
// Get the Url click event on the recipient device.
| join kind = inner
(DeviceEvents
| where ActionType == "BrowserLaunchedToOpenUrl"| where isnotempty(RemoteUrl)
| project UrlDeviceClickTime = Timestamp , UrlClickedByUserSid = RemoteUrl,
InitiatingProcessAccountSid, DeviceName, DeviceId, InitiatingProcessFileName
)
on $left.OnPremSid == $right.InitiatingProcessAccountSid and $left.RemoteUrl == $right.UrlClickedByUserSid
| distinct UrlDeviceClickTime, RemoteUrl, NetworkMessageId, RecipientEmailAddress, RecipientObjectId,
OnPremSid, UrlClickedByUserSid, DeviceName, DeviceId, InitiatingProcessFileName
| sort by UrlDeviceClickTime desc
Anomalies in MailItemAccess by GraphAPI
This query looks for anomalies in mail item access events made by Graph API. It uses standard deviation to determine if the number of events is anomalous.
let starttime = 30d;
let STDThreshold = 2.5;
let allMailAccsessByGraphAPI = CloudAppEvents
| where ActionType == "MailItemsAccessed"
| where Timestamp between (startofday(ago(starttime))..now())
| where isnotempty(RawEventData['ClientAppId'] ) and RawEventData['AppId'] has "00000003-0000-0000-c000-000000000000"
| extend ClientAppId = tostring(RawEventData['ClientAppId'])
| extend OperationCount = toint(RawEventData['OperationCount'])
| project Timestamp,OperationCount , ClientAppId;
let calculateNumberOfMailPerDay = allMailAccsessByGraphAPI
| summarize NumberOfMailPerDay =sum(toint(OperationCount)) by ClientAppId,format_datetime(Timestamp, 'y-M-d');
let calculteAvgAndStdev=calculateNumberOfMailPerDay
| summarize avg=avg(NumberOfMailPerDay),stev=stdev(NumberOfMailPerDay) by ClientAppId;
calculteAvgAndStdev | join calculateNumberOfMailPerDay on ClientAppId
| sort by ClientAppId
| where NumberOfMailPerDay > avg + STDThreshold * stev
| project ClientAppId,Timestamp,NumberOfMailPerDay,avg,stev
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.
Since April 2024, the threat actor that Microsoft Threat Intelligence tracks as Marbled Dust has been observed exploiting user accounts that have not applied fixes to a zero-day vulnerability (CVE-2025-27920) in the messaging app Output Messenger, a multiplatform chat software. These exploits have resulted in collection of related user data from targets in Iraq. Microsoft Threat Intelligence assesses with high confidence that the targets of the attack are associated with the Kurdish military operating in Iraq, consistent with previously observed Marbled Dust targeting priorities.
Microsoft Threat Intelligence assesses with moderate confidence that Marbled Dust conducts reconnaissance to determine whether their targets are Output Messenger users and chooses this attack vector based on that knowledge. Successful exploitation allows the threat actor to deliver multiple malicious files and exfiltrate data from targets.
Upon discovering the Output Messenger zero-day vulnerability (CVE-2025-27920), Microsoft notified Srimax, the developer of the messaging app, who issued a software update. Microsoft also identified a second vulnerability in Output Messenger (CVE-2025-27921) for which Srimax has also released a patch; however, Microsoft has not observed exploitation of this second vulnerability. We acknowledge Srimax for their collaboration and for addressing both vulnerabilities.
In this blog, we present details on how Marbled Dust uses the Output Messenger zero-day exploit in the attack chain of this campaign. We also share mitigation and protection guidance, and detection details and hunting queries. Microsoft Threat Intelligence recommends users upgrade Output Messenger to its latest version to address the vulnerability leveraged by Marbled Dust.
Who is Marbled Dust?
Microsoft Threat Intelligence assesses that Marbled Dust operates as a Türkiye-affiliated espionage threat actor. Marbled Dust targets entities in Europe and the Middle East, particularly government institutions and organizations that likely represent counter interests to the Turkish government, as well as targets in the telecommunications and information technology sectors. Marbled Dust overlaps with activity tracked by other security vendors as Sea Turtle and UNC1326.
In previous campaigns, Marbled Dust was observed scanning targeted infrastructure for known vulnerabilities in internet-facing appliances or applications and exploiting these vulnerabilities as a means of gaining initial access to target infrastructure providers. They were also observed using access to compromised DNS registries and/or registrars to reset the DNS server configuration of government organizations in various countries to intercept traffic, enabling them to log and reuse stolen credentials.
This new attack signals a notable shift in Marbled Dust’s capability while maintaining consistency in their overall approach. The successful use of a zero-day exploit suggests an increase in technical sophistication and could also suggest that Marbled Dust’s targeting priorities have escalated or that their operational goals have become more urgent.
Output Messenger zero-day
Microsoft security researchers identified the zero-day vulnerability exploited by Marbled Dust. This directory traversal vulnerability (CVE-2025-27920) in the Output Messenger Server Manager application could allow an authenticated user to upload malicious files into the server’s startup directory. Marbled Dust exploited this vulnerability to save the malicious file OMServerService.vbs to the startup folder.
The Output Messenger Server Manager application provides the server owner with the option to enable an output drive, allowing users to upload and download files from the server. Once this is enabled, any user can upload files to the server. By default, these files are stored at C:\Program Files\Output Messenger Server\OfflineMessages\Temp\1\File on the server. Once a user is authenticated, they can upload a file and replace the “name” value in the request with their directory traversal string, for example, name=”../../../../../../../../../../ProgramData/Microsoft/Windows/Start Menu/Programs/StartUp/OMServerService.vbs.
In the Output Messenger architecture, the client and server communicate to provide messaging, file sharing, and other collaborative features. When the client is launched, it connects to the server and sends user credentials to the server for validation before the server authenticates the user. Messages sent from the client are forwarded to the server, which acts as a relay. When a file is shared via the client, it can either be directly transferred to another user or stored on the server for later retrieval.
Once Marbled Dust gains access to the Output Messenger server, the threat actor can leverage Output Messenger system architecture to gain indiscriminate access to the communications of every user, steal sensitive data and impersonate users, which could lead to operational disruptions, unauthorized access to internal systems, and widespread credential compromise.
Attack chain
The attack chain begins with Marbled Dust gaining access to the Output Messenger Server Manager application as an authenticated user. While we currently do not have visibility into how Marbled Dust gained authentication in each instance, we assess that the threat actor leverages DNS hijacking or typo-squatted domains to intercept, log, and reuse credentials, as these are techniques leveraged by Marbled Dust in previously observed malicious activity.
Marbled Dust uses this foothold in a single victim to collect the user’s Output Messenger credentials and exploit the CVE-2025-27920 vulnerability, a directory traversal attack in the Output Messenger Server Manager application that allows an authenticated user to drop malicious files to the server’s startup directory. Marbled Dust drops the malicious files OM.vbs and OMServerService.vbs to the Output Messenger server startup folder and drops the malicious file OMServerService.exe to the server’s Users/public/videos directory.
Marbled Dust then uses OMServerService.vbs to call OM.vbs, which is passed to OMServerService.exe as an argument. At the time of reporting, file OM.vbs was not available for analysis. OMServerService.exe, on the other hand, is a GoLang backdoor masquerading as the legitimate file of the same name. GoLang is particularly effective in this case because it is not sensitive to OS versions. In some cases, OMServerService.exe is observed connecting to a hardcoded domain, api.wordinfos[.]com, for data exfiltration.
Figure 1. The Marbled Dust attack chain
On the client side, the installer extracts and executes both the legitimate file OutputMessenger.exe and OMClientService.exe, another GoLang backdoor that connects to a Marbled Dust command-and-control (C2) domain. This backdoor first performs a connectivity check via GET request to the C2 domain api.wordinfos[.]com. If successful, a second GET request is sent to the same C2 containing hostname information to uniquely identify the victim. The response from the C2 is then directly executed using the command “cmd /c” which instructs the Windows command prompt to run a specific command and then terminate.
In at least one case, a victim device with the Output Messenger client software was observed connecting to an IP address attributed to Marbled Dust likely for data exfiltration, as these connections coincide with the threat actor issuing commands to collect files with varying file extensions to a RAR file on the desktop. This connection to the Marbled Dust-attributed IP address is frequently accomplished using plink—the command-line version of the PuTTY SSH client for Windows.
Mitigations
Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.
Strengthen operating environment configuration
Ensure that Output Messenger is updated to a version that is not affected by the vulnerability:
Use a vulnerability management system, such as Microsoft Defender Vulnerability Management, to manage vulnerabilities, weaknesses, and remediation efforts across your environment’s operating systems, software inventories, and network devices.
Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
Organizations can also use Microsoft Defender External Attack Surface Management (EASM), a tool that continuously discovers and maps digital attack surface to provide an external view of your online infrastructure. EASM leverages vulnerability and infrastructure data to generate Attack Surface Insights, reporting that highlights key risks to a given organization.
Microsoft Defender XDR customers can turn on the following attack surface reduction rules to prevent common attack techniques used by threat actors.
Run Endpoint Detection and Response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume.
Microsoft Defender XDR detections
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
Microsoft Defender for Endpoint
Alerts with the following title in the security center can indicate threat activity on your network:
Marbled Dust activity group
Microsoft Defender for Cloud
The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.
Traffic detected from IP addresses recommended for blocking
Communication with suspicious domain identified by threat intelligence
Microsoft Security Copilot
Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:
Incident investigation
Microsoft User analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment
Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.
Threat intelligence reports
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.
Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.
Hunting queries and component search
Microsoft Defender XDR component search
Microsoft Defender XDR customers can search for Output Messenger components in their environment through the XDR portal Intel explorer components search function.
Navigate to Intel Explorer. Search for “output messenger”. On the summary tab, scroll down to “Components on IP” and click the View all selection at the bottom to display the full results. Note: the results of the search may not include the version of the Output Messenger component.
Microsoft Defender XDR advanced hunting queries
Microsoft Defender XDR customers can run the following query to find related activity in their networks:
OMServerService.vbs script
Surface devices that possess the OMServerService.vbs file that attempts to launch the Marbled Dust GoLang backdoor.
DeviceFileEvents
| where FileName == "OMServerService.vbs"
| where FolderPath has @"/ProgramData/Microsoft/Windows/Start Menu/Programs/StartUp/"
| project Timestamp, DeviceName, InitiatingProcessFileName, FolderPath, FileName, AdditionalFields
Marbled Dust C2
Surface devices that might have communicated with Marbled Dust C2.
Executable file or launch script (requires Microsoft Defender XDR)
Identify devices that might have the executable file or launch script present as part of this activity.
DeviceFileEvents
| where FileName == "OM.vbs" or FileName == "OMServerService.exe"
| where FolderPath has @"c:\users\public\videos\"
| project Timestamp, DeviceName, InitiatingProcessFileName, FolderPath, FileName, AdditionalFields
Marbled Dust VBS script file hashes (requires Microsoft Defender XDR)
Search for the file hashes associated with the Marbled Dust VBS script files used in this activity.
let fileHashes = dynamic(["1df959e4d2f48c4066fddcb5b3fd00b0b25ae44f350f5f35a86571abb2852e39",
"2b7b65d6f8815dbe18cabaa20c01be655d8475fc429388a4541eff193596ae63"]);
union
(
DeviceFileEvents
| where SHA256 in (fileHashes)
| project Timestamp, FileHash = SHA256, SourceTable = "DeviceFileEvents"
),
(
DeviceEvents
| where SHA256 in (fileHashes)
| project Timestamp, FileHash = SHA256, SourceTable = "DeviceEvents"
),
(
DeviceImageLoadEvents
| where SHA256 in (fileHashes)
| project Timestamp, FileHash = SHA256, SourceTable = "DeviceImageLoadEvents"
),
(
DeviceProcessEvents
| where SHA256 in (fileHashes)
| project Timestamp, FileHash = SHA256, SourceTable = "DeviceProcessEvents"
)
| order by Timestamp desc
Indicators of compromise
Indicator
Type
Description
First seen
Last seen
hxxps://api.wordinfos[.]com
Domain
C2
4/5/2024
5/12/2025
Learn more
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.
Login
