A Russian state-backed cyberespionage group has been quietly breaching critical organizations across NATO countries and Ukraine since at least April 2024. Dubbed Void Blizzard and tracked as LAUNDRY BEAR, the threat actor employs a deceptively simple playbook—password sprays, stolen credentials, and increasingly, adversary-in-the-middle phishing that sidesteps multifactor authentication. On May 27, 2025, Microsoft Threat Intelligence published a detailed exposé, drawing on months of hunting operations and collaboration with Dutch intelligence services and the FBI. The report elevates Void Blizzard from a shadowy nuisance to a persistent and strategically aligned espionage apparatus.

The group’s target list reads like a blueprint of Russia’s geopolitical interests: government ministries, defense contractors, transportation networks, academic institutions, news media, and non-governmental organizations. Many victims had already been in the crosshairs of Russian military intelligence (GRU) in the aftermath of the 2022 invasion of Ukraine. Void Blizzard’s overlap with established Russian threat actors—Forest Blizzard, Midnight Blizzard, and Secret Blizzard—suggests a coordinated intelligence-gathering ecosystem rather than a single isolated squad.

While the techniques are not spectacularly sophisticated, their cumulative damage is severe. “Low sophistication, high impact” is the phrase that security analysts keep returning to. The campaign illustrates a hard truth: adversaries don’t need zero-day exploits when millions of valid credentials slosh around criminal marketplaces, and when users still recycle passwords across personal and corporate accounts.

How Void Blizzard Gets In

The initial breach usually begins with one of three entry points. Password spray attacks automate the process of trying a handful of common passwords against thousands of user accounts, hoping for someone who set “Spring2024!” across their apps. The second entryway is the thriving underground economy of infostealer logs: Void Blizzard procures previously harvested usernames and passwords, often with session cookies still attached, from illicit marketplaces. These shopping lists of credentials give attackers an almost instant shortcut past the perimeter.

A third pathway—one that escalated sharply in April 2025—is adversary-in-the-middle (AitM) spear phishing. In a campaign tracked by Microsoft, targets received emails that appeared to originate from the European Defense and Security Summit. Attached PDFs contained malicious QR codes. When scanned, the codes directed users to a credential-harvesting page that mimicked Microsoft Entra’s authentication portal with eerie precision. The landing page was served through the Evilginx phishing framework, an open-source toolkit capable of stealing not just passwords but also session tokens and authentication cookies. With a valid token, an attacker can replay a web session as if they are the legitimate user, rendering traditional phone-based MFA useless.

The phishing infrastructure leaned heavily on typosquatted domains. For instance, a domain like “login-microsoftonline.com” might replace a letter or swap characters to appear genuine at a glance. This level of detail indicates that Void Blizzard is methodically refining its initial access, moving from broad spray to tailored strike.

The Post-Compromise Playbook: Stealth and Speed

Once inside a network, Void Blizzard shifts to efficiency. Rather than deploying malware or ransomware, the group focuses entirely on intelligence collection. Microsoft observed that attackers commonly abuse legitimate cloud APIs to vacuum up data silently. After compromising a user account, they leverage Exchange Online and Microsoft Graph to enumerate folders and mailboxes, then exfiltrate the contents at scale. In one documented intrusion, the threat actor automatically collected every email and document the compromised identity could touch—no manual selection, just a swift, bulk extraction that reduced dwell time while maximizing haul.

Lateral movement is reserved for high-value environments. Void Blizzard has been observed running AzureHound, a reconnaissance tool originally designed for organizations to map their Microsoft Entra attack paths. In attackers’ hands, it enumerates users, group memberships, application roles, and device inventories, building a detailed directory of the victim’s cloud footprint. Access to Microsoft Teams chats further enriches the intelligence picture, exposing internal discussions, project details, and communication patterns.

The targeting of Ukrainian aviation organizations and air traffic control providers is particularly alarming. These entities support critical infrastructure that remains under constant pressure during wartime. The fact that some were previously infiltrated by GRU units suggests a continuing, coordinated effort to understand—and potentially degrade—Ukraine’s defense and mobility capabilities.

Defensive Countermeasures: What Microsoft and Partners Recommend

Defending against Void Blizzard is not about blocking a single malware signature. It demands an identity-first security architecture that assumes credentials will be stolen. Microsoft’s advisory, complemented by joint intelligence from the Dutch AIVD and MIVD and the US FBI, points to several concrete steps:

Hardening Authentication
- Sign-in risk policies: Integrate Conditional Access rules that automatically respond to risky logins. For example, a sign-in from an unusual location using a known leaked password can trigger an immediate requirement for phishing-resistant authentication or block access entirely.
- Phishing-resistant MFA: Move away from telephony-based one-time passcodes. FIDO2 security keys and Microsoft Authenticator’s passkey feature do not rely on secrets that can be intercepted by a proxy server.
- Centralized identity management: Consolidate on-premises Active Directory and cloud identities into a single source of truth. This enables machine learning engines to better spot anomalies and simplifies the revocation of compromised accounts.

Strengthening Email and Collaboration Security
- Mailbox auditing: Enable detailed audit logging for owner, delegate, and administrator actions across all mailboxes. Void Blizzard often uses the compromised account’s own permissions to read mail, which can blend in with normal activity unless auditing is granular.
- Non-owner access reports: Run regular reports from the Exchange Admin Center to detect when accounts that shouldn’t be accessing a mailbox are doing exactly that.

Detecting and Disrupting Post-Compromise Activity
- Credential hygiene: After any suspected infostealer infection, rotate user passwords and revoke existing session tokens.
- Anomaly detection: Query Microsoft Graph API audit logs for signs of automated enumeration or mass data export. Deploy anomaly detection policies within Microsoft Defender for Cloud Apps.
- Token theft investigation: Because AitM attacks can bypass even strong MFA, security teams should examine sign-in logs for tokens issued to unknown IP addresses or at odd hours, and configure Azure AD Identity Protection to detect suspicious token replay.

Visibility Through the Microsoft Security Stack

Microsoft’s threat intelligence team mapped specific detection signals to Void Blizzard’s tactics. Security operations teams using Microsoft 365 Defender, Defender for Endpoint, Defender for Identity, and Defender for Cloud Apps may see alerts such as:

  • Password Spray – a high volume of failed authentication attempts across many accounts.
  • Unfamiliar sign-in properties – logins from new devices, browsers, or locations.
  • Impossible travel – sign-ins from two geographic locations in a timeframe that cannot be physically possible.
  • AitM token detection – alerts tied to Evilginx infrastructure or token anomalies.

For organizations running Microsoft Sentinel, published hunting queries can help analysts pivot from an initial IoC (like a typosquatted domain or known Void Blizzard C2 node) to uncover additional compromised user accounts, suspicious forwarding rules, or abnormal Graph API calls. The queries are not a silver bullet—they can also trigger on benign activity—but they offer a focused starting point for incident response.

The Bigger Picture: Collaboration and Persistent Gaps

The rapid nomination of Void Blizzard and the public sharing of its tactics are possible because of a well-established model of international cybersecurity cooperation. Dutch military and intelligence services contributed ground-truth observations, the FBI tied infrastructure to other Russian intrusions, and Microsoft correlated telemetry across its global customer base. Such coordination shrinks the advantage that state-sponsored groups once enjoyed by operating in shadows.

Yet critical weaknesses remain that adversaries continue to exploit. The underground credential economy is not going away. Infostealer logs are traded daily on Telegram channels and dark-web forums, providing a steady supply of fresh keys to thousands of organizations. Cloud migration, while essential for business agility, has dramatically expanded the attack surface. Tools like AzureHound and APIs for mail access were built for system administrators, not attackers, but without strict conditional access and Just-In-Time privilege, they become offensive instruments.

Smaller organizations face an extra burden. NGOs and small educational institutions—both of which Void Blizzard has targeted—often cannot field a 24/7 security operations center or afford the premium licenses required for risk-based Conditional Access and advanced hunting. The gap between well-resourced defense and vulnerable civil society continues to widen, and nation-state actors are ruthless in exploiting it.

Implications for Windows and Microsoft Ecosystem Users

Void Blizzard’s laser focus on Microsoft 365, Entra ID, and Exchange Online exposes the double-edged nature of a tightly integrated cloud ecosystem. Every identity synced, every API exposed, every Teams channel opened is a potential pivot point. Microsoft has responded with deeper default security settings, AI-driven investigation features in Security Copilot, and tighter integration across the Defender suite. Still, responsibility remains on individual organizations to enforce policies that map to the reality of their risk.

The attack chain also highlights the limits of endpoint detection. Since Void Blizzard often operates with stolen credentials and legitimate applications, no malware is dropped and no process injection occurs. Detection relies on behavioral analytics and cloud signals—exactly the kind of telemetry that is difficult for some industries to justify in privacy impact assessments.

The Enduring Challenge

Void Blizzard will not be the last Russian-aligned group to pop up in threat intel feeds. The pattern repeats because fundamentals are neglected and resources are unevenly distributed. Password spray works because of human nature. Cookie theft works because the web’s authentication plumbing was not designed for an era of proxy attacks. Data exfiltration through Microsoft Graph works because organizations crave seamless collaboration.

The defensive playbook is clear: adopt phishing-resistant credentials, monitor cloud control planes continuously, and break down silos between identity, email, and endpoint security. The Microsoft report equips defenders with the indicators and methods to do that, but execution will determine whether Void Blizzard remains a persistent intelligence pipeline or becomes a manageable, contained threat.

For security practitioners, IT administrators, and business leaders, the message is unmistakable: invest in identity-centric detection and response. The adversary is patient, well-funded, and increasingly creative with the most mundane of tools. Your digital estate is a high-value target—act accordingly.