The Russia-linked threat group is harvesting credentials for Microsoft’s cloud offering, and targeting mainly election-related organizations.
The Russia-linked threat group known as APT28 has changed up its tactics to include Office 365 password-cracking and credential-harvesting.
Microsoft researchers have tied APT28 (a.k.a. Strontium, Sofacy or Fancy Bear) to this newly uncovered pattern of O365 activity, which began in April and is ongoing. The attacks have been aimed mainly at U.S. and U.K. organizations directly involved in political elections.