HomeWinBuzzer NewsMicrosoft OneDrive Used by Russian Threat Actor for Phishing Attack

Microsoft OneDrive Used by Russian Threat Actor for Phishing Attack

Microsoft Security says the Seaborgium threat group is using Microsoft OneDrive to steal credentials from NATO nations.


has posted a security warning telling customers about a threat from -backed hackers who are using to instigate a phishing campaign. Specifically, the company describes a “highly persistent” threat group that is targeting countries by trying to steal their credentials.

The company calls the group “Seaborgium” and says it has actively been working to steal information from NATO nations, such as the UK and US. Sometimes, the group makes the data it steals public to create disinformation campaigns.

According to the Microsoft Threat Intelligence Center (MSTIC), Seaborgium is using Microsoft OneDrive to reach victims. For example, the group lures unwitting users through impersonation of service attachments or through PDFs with links to attack URLs.

“The victim is presented with what appears to be a failed preview message, enticing the target to click the link to be directed to the credential-stealing infrastructure. Occasionally, Seaborgium makes use of open redirects within the PDF file to further disguise their operational infrastructure,” Microsoft points out

When a user interacts with the link, they get sent to the system used to steal credentials. The group can trick users through a login page designed to look like legitimate providers.

“Seaborgium intrusions have also been linked to hack-and-leak campaigns, where stolen and leaked data is used to shape narratives in targeted countries,” MSTIC adds.

Links with Russia

It is worth noting Seaborgium is not a new threat. Microsoft has been tracking the group since 2017. Although, 2022 has been a prosperous year for the group, with attacks on 30 organizations so far this year. Alongside those corporate attacks, the group is also continuously targeting personal accounts.

Interesting, MSTIC does not point the finger directly at the Russian government for sponsoring the group, although the message from the security team is hardly vague:

“Seaborgium is a threat actor that originates from Russia, with objectives and victimology that align closely with Russian state interests,” explains MSTIC. 

Tip of the day: Having problems with pop-ups and unwanted programs in Windows? Try the hidden adware blocker of Windows Defender. We show you how to turn it on in just a few steps.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News