APT29 Watering Hole Campaign Exposed: Russian Hackers Abuse Microsoft Device Code Authentication

Campaign overview

• Amazon’s threat team found injected JavaScript on compromised, legitimate websites that randomly redirected a small fraction of visitors (≈10%) to actor domains like findcloudflare[.]com, presenting fake “verification” pages before initiating Microsoft device code auth flows for account access.aws.amazon

• The actor quickly pivoted infrastructure when blocked (from JavaScript redirects to server-side redirects, and off AWS to another cloud), underscoring iterative tradecraft and resilience during takedown.aws.amazon

Device code abuse

• The lure coerced users into completing Microsoft’s device code challenge, effectively granting tokens to attacker-controlled “devices” without stealing passwords directly, consistent with this year’s device code/device join phishing uptick observed against Microsoft 365 tenants.thehackernews+1

• Amazon coordinated with providers to isolate EC2, sinkhole domains, and notify partners including Microsoft; no AWS compromise occurred, but the campaign’s objective was credential and token capture.aws.amazon

Links to prior APT29 watering holes

• Google TAG previously documented APT29 watering holes in Mongolia leveraging n-day exploit chains identical or highly similar to those used by Intellexa (Predator) and NSO Group (Pegasus), including WebKit CVE‑2023‑41993 and Chrome CVE‑2024‑5274/CVE‑2024‑4671, with moderate‑confidence attribution.wired+1

• TAG’s assessment emphasized CSV exploit “proliferation,” where 0‑days first used by surveillance vendors later spread as n‑days to state actors, reinforcing patching urgency and browsing isolation for target orgs.blog

Technical tradecraft

• JavaScript injection: Obfuscated snippets embedded in legit sites triggered conditional redirects; evasion included randomized sampling (~10%), base64‑encoded code blobs, and cookies to avoid repeated redirects.aws.amazon

• Infrastructure rotation: When providers intervened, the actor registered fresh Cloudflare‑themed domains and shifted from client‑side to server‑side redirects to keep the watering hole viable.aws.amazon

Intelligence collection evolution

• APT29’s 2025 playbook expanded to device code and device join phishing to capture Microsoft 365 access, complementing earlier ASP/email access campaigns; watering holes add scale by pre‑filtering visitors most likely to be in‑scope.thehackernews+1

• The actor’s agility in rebuilding infrastructure and re‑running lures suggests a durable tactic that blends web compromises, brand impersonation, and identity flow abuse rather than only credential phish pages.aws.amazon

Enterprise protections (device code abuse)

• Conditional Access hardening: Require compliant/managed device and phishing‑resistant MFA; restrict device code flows and device join to approved networks/devices; enforce step‑up for unfamiliar sign‑ins.microsoft

• Browser controls: Isolate risky browsing with application guard/VDI; strip third‑party scripts where feasible; deploy EDR detections for base64‑heavy inline scripts and anomalous redirect chains.aws.amazon

• Detection signals: Alert on spikes in device code initiations, OAuth consent from atypical IPs/ASNs, and sudden “device join” events; correlate with web telemetry showing Cloudflare‑themed pages preceding Microsoft flows.thehackernews+1

Incident response tips

• Identity first: Revoke suspicious device tokens, invalidate refresh tokens, and audit OAuth grants; force re‑authentication with FIDO2/number‑matching for impacted cohorts.microsoft

• Web supply chain: Scan public sites for injected iFrames/scripts, base64 blobs, and redirectors; compare against known‑good snapshots; remove and rotate CMS/plugin secrets if tampering is found.aws.amazon

• Intel sharing: Share domain and URL IOCs (e.g., findcloudflare[.]com and successors) across proxies/EDR and with sector ISACs; block look‑alike “verification” domains.aws.amazon

Expert analysis by Alfaiz Nova

• Detection mindset: Watering holes blend victim trust with subtle delivery; focus on behavior—low‑rate redirects, base64‑encoded JS, cookie gating—and on identity telemetry spikes for device code/consent. Per‑app CA and managed device requirements break many of these flows.

• Strategic takeaway: CSV exploit reuse continues to compress the window between 0‑day and n‑day state exploitation. Pair rapid patch SLAs for browsers/mobile with browsing isolation, identity constraints, and brand‑abuse monitoring for “verification” pages masquerading as CDN checks.

Sources

• Amazon: APT29 watering‑hole using fake Cloudflare pages to drive Microsoft device code authentication; disruption actions and infra pivots.aws.amazon

• The Hacker News: Context on device code/join phishing against Microsoft 365 by APT29 in 2025.thehackernews

• Google TAG: APT29 watering holes reusing Intellexa/NSO exploit chains against unpatched Safari/Chrome in Mongolian gov campaigns.wired+1