Amazon Disrupts APT29 Watering Hole Campaign Abusing Microsoft Device Code Authentication
Summary:
Amazon’s threat intelligence team has identified and disrupted a sophisticated watering hole campaign conducted by APT29, also known as Midnight Blizzard, a threat actor linked to Russia’s Foreign Intelligence Service. The campaign relied on compromising legitimate websites and injecting obfuscated JavaScript that redirected a fraction of visitors to attacker-controlled domains. These malicious domains, designed to mimic Cloudflare verification pages, were used to trick victims into authorizing attacker-controlled devices through Microsoft’s device code authentication flow. By redirecting only about 10% of website traffic and employing randomization, cookies, and encoding, APT29 increased its chances of avoiding detection and maintaining persistence across multiple targets.
This campaign reflects APT29’s continued evolution in scaling their operations and refining their technical methods to expand their reach in intelligence collection. Their approach shows a shift toward opportunistic operations that cast a wider net while retaining targeted precision against specific victims of interest. Technical analysis of the malicious code revealed a range of evasion techniques, including base64 encoding to conceal activity and setting mechanisms to prevent repeated redirects of the same user. When disrupted, APT29 demonstrated agility by migrating infrastructure quickly and adapting from JavaScript-based redirects to server-side redirects, further complicating detection and takedown efforts.
Security Officer Comments:
Importantly, there was no compromise of AWS systems, nor direct impact on AWS infrastructure. However, Amazon’s detection analytics for APT29 infrastructure allowed them to uncover the malicious domains and identify compromised websites. Once discovered, Amazon acted swiftly to isolate affected EC2 instances, coordinate with Cloudflare and other partners to block malicious domains, and share intelligence with Microsoft to help mitigate further attempts. Despite the actor’s efforts to move operations off AWS and onto other cloud providers, Amazon continued monitoring and tracking the adversary. The campaign also builds on APT29’s long history of credential theft and espionage operations. In October 2024, Amazon disrupted their phishing attempts that leveraged fake AWS domains with malicious Remote Desktop Protocol files, while in June 2025 Google Threat Intelligence reported their credential-harvesting campaigns against academics and Kremlin critics using application-specific passwords.
Suggested Corrections:
Amazon researchers recommends organizations implement the following protective measures:
For end users:
For IT administrators:
https://aws.amazon.com/blogs/security/amazon-disrupts-watering-hole-campaign-by-russias-apt29/
Amazon’s threat intelligence team has identified and disrupted a sophisticated watering hole campaign conducted by APT29, also known as Midnight Blizzard, a threat actor linked to Russia’s Foreign Intelligence Service. The campaign relied on compromising legitimate websites and injecting obfuscated JavaScript that redirected a fraction of visitors to attacker-controlled domains. These malicious domains, designed to mimic Cloudflare verification pages, were used to trick victims into authorizing attacker-controlled devices through Microsoft’s device code authentication flow. By redirecting only about 10% of website traffic and employing randomization, cookies, and encoding, APT29 increased its chances of avoiding detection and maintaining persistence across multiple targets.
This campaign reflects APT29’s continued evolution in scaling their operations and refining their technical methods to expand their reach in intelligence collection. Their approach shows a shift toward opportunistic operations that cast a wider net while retaining targeted precision against specific victims of interest. Technical analysis of the malicious code revealed a range of evasion techniques, including base64 encoding to conceal activity and setting mechanisms to prevent repeated redirects of the same user. When disrupted, APT29 demonstrated agility by migrating infrastructure quickly and adapting from JavaScript-based redirects to server-side redirects, further complicating detection and takedown efforts.
Security Officer Comments:
Importantly, there was no compromise of AWS systems, nor direct impact on AWS infrastructure. However, Amazon’s detection analytics for APT29 infrastructure allowed them to uncover the malicious domains and identify compromised websites. Once discovered, Amazon acted swiftly to isolate affected EC2 instances, coordinate with Cloudflare and other partners to block malicious domains, and share intelligence with Microsoft to help mitigate further attempts. Despite the actor’s efforts to move operations off AWS and onto other cloud providers, Amazon continued monitoring and tracking the adversary. The campaign also builds on APT29’s long history of credential theft and espionage operations. In October 2024, Amazon disrupted their phishing attempts that leveraged fake AWS domains with malicious Remote Desktop Protocol files, while in June 2025 Google Threat Intelligence reported their credential-harvesting campaigns against academics and Kremlin critics using application-specific passwords.
Suggested Corrections:
Amazon researchers recommends organizations implement the following protective measures:
For end users:
- Be vigilant for suspicious redirect chains, particularly those masquerading as security verification pages.
- Always verify the authenticity of device authorization requests before approving them.
- Enable multi-factor authentication (MFA) on all accounts, similar to how AWS now requires MFA for root accounts.
- Be wary of web pages asking you to copy and paste commands or perform actions in Windows Run dialog (Win+R).
- This matches the recently documented “ClickFix” technique where attackers trick users into running malicious commands.
For IT administrators:
- Follow Microsoft’s security guidance on device authentication flows and consider disabling this feature if not required.
- Enforce conditional access policies that restrict authentication based on device compliance, location, and risk factors.
- Implement robust logging and monitoring for authentication events, particularly those involving new device authorizations.
https://aws.amazon.com/blogs/security/amazon-disrupts-watering-hole-campaign-by-russias-apt29/