Microsoft provides an update on the tactics, techniques, and procedures (TTPs) of the Russia-linked TA446 (a.k.a. Calisto, Star Blizzard), an actor heavily engaged in espionage campaigns that primarily target cloud-based email service providers hosting both personal and organizational email accounts.
The primary vector of TA446 attacks remains email spear-phishing. The events Microsoft reportedly examined present password-protected emails suggesting an evolution in evasion techniques.
New TTPs were also observed in the delivery mechanism, with email marketing platforms being used to hide the true email sender address. Microsoft specifically reports HubSpot and MailerLite as having been abused for such purposes. The actor uses a dedicated subdomain to craft URLs that subsequently redirect to the actor-controlled Evilginx server which enables credential stealing.
Anti-analysis techniques were employed via server-side scripts with the capability to check the requests directed to attacker-controlled domains. If the scripts detect the potential for scrapers and any sort of automated tooling consistent with an analysis effort, the requests are dropped barring from further analysis.
Additional evasion techniques were observed in connection with infrastructure that remains hosted on a virtual private server (VPS). However, the actor made use of a DNS provider to obscure the IP addresses of VPS infrastructure.
At the same time, the actor made efforts to randomize the domain generation algorithm (DGA) for actor-registered domains.