TZUTC: -0500   
   MSGID: 1252.consprcy@1:2320/105 2ce383e4   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   UK warns Russian Fancy Bear hackers are targeting Microsoft 365 accounts   
      
   Date:   
   Mon, 21 Jul 2025 13:42:40 +0000   
      
   Description:   
   Western companies helping Ukraine are being targeted with sophisticated   
   Authentic Antics malware.   
      
   FULL STORY   
      
   Russian cybercriminals are targeting Microsoft 365 accounts with specialized   
   malware , the UK government's cybersecurity arm has warned.    
      
   The UK National Cyber Security Centre (NCSC) has published a new technical   
   deep dive, detailing a sophisticated piece of malware called Authentic    
   Antics, first spotted in 2023, but only now attributed to APT28 - a known,   
   state-sponsored threat actor from Russia, working for the countrys General   
   Staff Main Intelligence Directorate (GRU).    
      
   APT28 is also known as Fancy Bear or Forest Blizzard and has been attributed   
   to many high-profile cyber-espionage campaigns throughout the West.   
      
   Faking Microsoft login   
      
   While the NCSC doesnt detail how the malware gets deployed, it speculates    
   that its most likely through phishing emails or malicious Outlook add-ins.    
      
   Once running on the target machine, it targets Microsoft Outlook, looking to   
   steal login credentials and OAuth 2.0 tokens for Microsoft services such as   
   Exchange Online, SharePoint, or OneDrive.    
      
   It works by sporadically showing fake login prompts that mimic Microsofts   
   authentication windows. It uses environmental keying to make sure it only   
   activates on specific machines, and once the victims try to log in - the   
   information is relayed to the attackers.    
      
   For exfiltration, Authentic Antics uses the victims email inbox, sending the   
   information in an email that later gets deleted from the Sent folder.    
      
   Authentic Antics is part of a broader cyber-espionage campaign, targeting   
   western organizations - especially those who support Ukraine in their war   
   effort against Russia.    
      
   While names werent mentioned, the NCSC did say APT28 targeted logistics and   
   transport organizations, tech firms with access to Microsofts cloud services,   
   government entities in NATO countries, and broader infrastructure such as   
   internet-connected cameras at border crossings, used to track shipments to   
   Ukraine.    
      
   As a result of the findings, the UK has sanctioned GRU operatives, which   
   included three units and 18 officers, Reuters reported.    
      
    Via The Register   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/uk-warns-russian-fancy-bear-hackers-are   
   -targeting-microsoft-365-accounts   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426