Amazon’s threat intelligence team has disrupted a watering hole campaign conducted by APT29, the Russian state-linked threat group also known as Midnight Blizzard. The operation used compromised websites to redirect visitors into a phishing scheme designed to hijack Microsoft accounts through the device code authentication flow.
How the Campaign Worked
Researchers said APT29 compromised multiple legitimate websites and injected code that silently redirected visitors to attacker-controlled infrastructure. From there, victims were prompted to complete Microsoft’s device code authentication process.
Instead of entering a legitimate authorization code, victims unknowingly authorized APT29-controlled devices. This gave the attackers long-term access to Microsoft services, bypassing traditional login defenses such as passwords and multi-factor authentication.
The approach represents a refinement of phishing campaigns by APT29, shifting from email-driven lures to opportunistic watering hole attacks that capture any unsuspecting visitors.
APT29’s Objectives
APT29 has long been associated with Russia’s Foreign Intelligence Service (SVR). Known for its involvement in the SolarWinds supply chain compromise, the group continues to focus on intelligence collection campaigns targeting Western governments, NGOs, and technology firms.
By exploiting Microsoft’s device code flow, APT29 leveraged a trusted authentication method against its victims. Security analysts said this tactic enabled the group to scale operations and gather access tokens across a broader pool of organizations.
Compromised page, website used in the campaign (Source: Amazon)
Amazon’s Intervention
Amazon confirmed its security team detected and disrupted the campaign by taking down attacker infrastructure linked to the watering hole sites. The company said it also worked with domain registrars and hosting providers to block malicious traffic and prevent further redirection attempts.
“Disrupting this activity highlights our commitment to protecting customers and the wider internet ecosystem,” Amazon’s advisory noted. The company did not specify which websites had been compromised but stressed that affected domains were remediated.
Scaling Tactics from APT29
Researchers emphasized that this campaign shows APT29’s evolution in scaling espionage operations. Instead of highly tailored spear-phishing, the group used opportunistic watering holes to cast a wider net and capture diverse victims.
“Device code phishing is difficult to detect because it leverages Microsoft’s legitimate sign-in experience,” one analyst explained. “Once the victim authorizes the attacker’s device, the access looks legitimate in logs.”
This highlights a growing challenge for defenders: traditional phishing detection methods are less effective against authentication abuse campaigns.
Mitigation Guidance
Security experts recommend organizations:
- Monitor Microsoft sign-in logs for unusual device code authorizations.
- Enforce conditional access policies to restrict which devices can log in.
- Educate employees on phishing techniques beyond email-based attacks.
- Implement robust identity governance to detect unauthorized devices.
Microsoft has not publicly confirmed the incident but is expected to update its security advisories in light of Amazon’s findings.
The disruption of this phishing campaign highlights the escalating tactics of APT29, which continues to refine its espionage tradecraft. By abusing legitimate authentication flows, state-sponsored actors can blend malicious activity with normal traffic, making detection extremely difficult.
For Amazon, the takedown reinforces its growing role as a defender in the cybersecurity ecosystem. For enterprises, the campaign underscores that phishing now extends beyond inboxes — and watering holes remain an effective tool for advanced threat groups.
