• by Laurie Sullivan  @lauriesullivan, May 28, 2021

Microsoft today reported yet another large-scale email system hack, as brands search for a way to identify specific consumers to target personalized ads.

This attack comes on the heels of several other breaches including SolarWinds, Ubiquiti, and the Colonial Pipeline.

The latest breach was reported last yesterday by the Microsoft Threat Intelligence Center (MSTIC).

The group estimates that about 3,000 email accounts belonging to more than 150 organizations across 24 countries were compromised. Raymond James Analyst Aaron Kessler reports in a research note published today that one-quarter of the organizations breached were involved in international development, humanitarian, and human rights work.

Microsoft reported that the wide-scale malicious email campaign was done by Nobelium, the same threat behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, and GoldMax malware.

Kessler wrote in his research note that “Microsoft’s rationale for attribution is that Nobelium uses a unique infrastructure and tooling for each attack. This digital footprint is what is supposedly unique to this group.”

The hackers sent phishing emails -- spoof messages that trick people into providing sensitive information or downloading harmful software.

On May 25, 2021, the campaign grew as Nobelium used Constant Contact, a mass mailing email service, to masquerade as a U.S.-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals. The process is explained here. 

MSTIC identified [in February] a wave of phishing emails that leveraged the Google Firebase platform to stage an ISO file containing malicious content, while also leveraging this platform to record attributes of those who accessed the URL,” Microsoft wrote in a blog post. “MSTIC traced the start of this campaign to January 28, 2021, when the actor was seemingly performing early reconnaissance by only sending the tracking portion of the email, leveraging Firebase URLs to record targets who clicked. No delivery of a malicious payload was observed during this early activity.”

The Kremlin told Reuters on Friday that it does not have any information on the cyberattack and that Microsoft needs to answer more questions, including how the attack is linked to Russia. U.S. President Joe Biden is expected to meet Russian President Vladimir Putin in Geneva on June 16.