The UK’s National Cyber Security Centre (NCSC) has issued a stark warning about Russian email malware that targets Microsoft cloud services. The malware, now dubbed AUTHENTIC ANTICS, allows threat actors to hijack user accounts and silently exfiltrate data.
The attack is linked to APT28, a Russian military intelligence unit tied to the GRU’s 85th Main Special Service Centre—also known as Unit 26165, Fancy Bear, Forest Blizzard, and Blue Delta.
What Does the Malware Do?
AUTHENTIC ANTICS enables persistent access to Microsoft 365 accounts by mimicking normal activity. Once active, it:
- Prompts users with realistic Microsoft login windows
- Steals credentials and OAuth tokens
- Accesses services like Exchange Online, SharePoint, and OneDrive
- Sends stolen data via email—without leaving a trace in the “sent” folder
Researchers say the malware is carefully crafted to blend in with Outlook’s legitimate processes. It generates infrequent, convincing prompts to avoid suspicion.
“The malware cleverly exploits an increasing familiarity with Microsoft authentication prompts,” NCSC stated.
How Is It Delivered?
That’s still unclear. Researchers haven’t disclosed the exact delivery method, but they confirm the malware runs within the Outlook process and communicates only with legitimate Microsoft services—making detection much harder.
This stealthy behavior ensures it avoids triggering traditional security alerts.
Who’s Behind It?
The NCSC attributes the malware to APT28, a known Russian state-backed group. The group has a long history of cyber operations targeting governments, think tanks, and defense sectors worldwide.
APT28 is notorious for its:
- Sophisticated phishing campaigns
- Exploitation of zero-day vulnerabilities
- Use of stolen credentials for long-term infiltration
UK Responds with Sanctions
In response to the malware’s discovery, UK Foreign Secretary David Lammy issued a bold statement:
“The Kremlin should be in no doubt: we see what they are trying to do in the shadows and we won’t tolerate it.”
The UK has issued new sanctions against Russian spies, aiming to disrupt future attacks and hold those responsible accountable.
Conclusion
The emergence of Russian email malware like AUTHENTIC ANTICS proves that cyber espionage is growing more sophisticated. By exploiting Microsoft login behaviors and mimicking legitimate activity, APT28 has once again blurred the line between normal and malicious. Organizations must stay vigilant—and governments must continue exposing threats hiding in plain sight.
0 responses to “Russian Email Malware “AUTHENTIC ANTICS” Hijacks Microsoft Accounts”