Microsoft's security team has confirmed that Russian state-sponsored threat actor APT28, also tracked as Forest Blizzard, is conducting a sophisticated campaign that uses noisy brute force attacks as cover for NTLM relay operations. The group's latest tactics target Microsoft Outlook specifically, allowing them to steal credentials and gain persistent access to victim mailboxes without triggering immediate detection.

Trend Micro researchers detailed how APT28 has evolved its approach since Microsoft first documented the group's activities in 2023. The threat actor now employs a multi-stage attack chain that begins with reconnaissance against Exchange servers, followed by credential spraying against Outlook Web Access (OWA) interfaces. This initial phase appears deliberately conspicuous—security teams might notice the brute force attempts but potentially miss what follows.

The Attack Chain: From Noise to Stealth

The campaign follows a carefully orchestrated sequence. APT28 first conducts reconnaissance against Microsoft Exchange servers to identify potential targets. The group then launches credential spraying attacks against OWA, using common password lists and previously compromised credentials. These brute force attempts generate significant authentication logs, creating what security analysts call "noise" in monitoring systems.

Once valid credentials are obtained, the attack transitions to its critical phase. APT28 uses the stolen credentials to authenticate to Outlook via the MAPI over HTTP protocol. This allows the threat actor to establish a session with the victim's mailbox. The group then deploys a malicious Outlook rule that automatically forwards incoming emails to attacker-controlled accounts.

Microsoft's analysis reveals the sophistication of this approach. By using legitimate authentication methods and native Outlook functionality, APT28 bypasses many traditional security controls. The malicious rules persist even after password changes, providing ongoing access to sensitive communications.

NTLM Relay: The Hidden Danger

Beneath the visible brute force activity lies the more dangerous component: NTLM relay attacks. APT28 captures NTLMv2 authentication hashes during the credential spraying phase, then relays these hashes to other systems on the network. This allows lateral movement without needing to crack the actual passwords.

The NTLM relay technique exploits weaknesses in the NTLM authentication protocol, which remains widely used in enterprise environments despite Microsoft's push toward Kerberos. When a user or service authenticates using NTLM, the attacker can intercept the authentication attempt and forward it to another system, gaining access with the victim's privileges.

Microsoft has documented multiple instances where APT28 used this technique to move from initial access to domain controller compromise. The group particularly targets systems with weak NTLM signing requirements or where NTLM authentication is permitted over SMB and LDAP protocols.

Outlook-Specific Targeting

APT28's focus on Microsoft Outlook represents a strategic shift. Previous campaigns targeted multiple applications and services, but the current operation concentrates specifically on email infrastructure. Outlook's integration with Active Directory and its role as a communication hub make it an attractive target for intelligence gathering.

The group exploits several Outlook features for persistence. Beyond email forwarding rules, APT28 has been observed creating hidden folders, modifying calendar entries, and manipulating search folders to monitor specific conversations. These modifications occur through legitimate API calls, making detection through behavioral analysis more challenging.

Microsoft Exchange Server vulnerabilities also play a role. APT28 leverages known but unpatched vulnerabilities in some deployments, particularly focusing on servers with outdated cumulative updates. The group combines these vulnerabilities with stolen credentials to maximize access opportunities.

Detection and Mitigation Challenges

Security teams face significant challenges detecting APT28's latest campaign. The noisy brute force component can trigger alerts, but many organizations have alert fatigue from frequent credential stuffing attempts. The subsequent stealth phases often go unnoticed amid the noise.

Microsoft recommends several specific mitigations. Enabling Extended Protection for Authentication (EPA) on Exchange servers prevents NTLM relay attacks by binding the authentication to the TLS channel. Implementing certificate-based authentication for Outlook clients eliminates NTLM entirely for those connections.

Network segmentation also proves critical. Isolating Exchange servers from other domain resources limits lateral movement opportunities even if NTLM relay succeeds. Microsoft further advises disabling NTLM authentication where possible and requiring NTLMv2 with 128-bit encryption where it must remain enabled.

Monitoring for suspicious Outlook rules presents another detection opportunity. Organizations should audit mailbox rules regularly, particularly those that forward messages externally. Unexpected MAPI over HTTP connections from unusual geographic locations or IP ranges also warrant investigation.

The APT28 Evolution

APT28, also known as Forest Blizzard, Fancy Bear, and STRONTIUM, has operated since at least 2007. The group is associated with Russia's military intelligence agency GRU and has targeted governments, military organizations, and critical infrastructure across Europe and North America.

The current campaign represents an evolution in tradecraft. Earlier APT28 operations relied more heavily on phishing with malicious attachments and exploit kits. The shift to credential-based attacks reflects both improved target security and the group's adaptation to changing defense postures.

Microsoft's tracking shows APT28 maintaining consistent infrastructure despite public exposure. The group continues to use previously documented domains and IP ranges, suggesting either confidence in their operational security or calculated risk acceptance.

Enterprise Defense Strategies

Organizations defending against APT28 need layered security approaches. Basic hygiene remains essential: enforcing strong password policies, implementing multi-factor authentication, and promptly applying security updates to Exchange servers.

Advanced protections should include monitoring for NTLM relay indicators. Security teams should look for authentication attempts where the client and server IP addresses differ, particularly when the server is a domain controller or other high-value system. Tools like Microsoft's Attack Surface Analyzer can help identify NTLM relay vulnerabilities.

Email security requires specific attention. Beyond monitoring for malicious rules, organizations should implement data loss prevention policies that flag or block external email forwarding. Regular audits of mailbox permissions and delegate access can reveal unauthorized configurations.

Microsoft Defender for Office 365 includes capabilities specifically designed to detect APT28's tactics. The platform's automated investigation and response features can identify suspicious forwarding rules and authentication patterns. Integration with Microsoft Sentinel enables correlation of Exchange logs with other security events.

The Broader Threat Landscape

APT28's campaign occurs amid increased state-sponsored cyber activity targeting Western infrastructure. Multiple threat actors have shifted toward credential-based attacks as organizations improve patch management and endpoint security.

The campaign highlights the persistent risk of legacy protocols like NTLM. Despite Microsoft's decade-long effort to deprecate NTLM in favor of Kerberos, many organizations maintain NTLM for compatibility with older applications. This creates attack surfaces that sophisticated groups like APT28 systematically exploit.

Outlook and Exchange remain prime targets due to their central role in organizational communication. The wealth of sensitive information flowing through email systems, combined with their deep integration with directory services, creates attractive opportunities for intelligence collection.

Looking Forward

Microsoft continues to enhance protections against NTLM relay attacks. Recent Windows updates include improvements to NTLM auditing and additional controls for restricting NTLM usage. The company's Secure Future Initiative prioritizes moving customers away from vulnerable legacy protocols.

Organizations should anticipate APT28 and similar groups refining their approaches further. As basic NTLM relay protections become more widespread, threat actors will likely develop techniques to bypass EPA and other mitigations. The cat-and-mouse game between attackers and defenders continues evolving.

Security teams must balance detection of noisy attacks with investigation of what might hide beneath. APT28's latest campaign demonstrates that conspicuous activity often serves as distraction rather than the main event. The most dangerous intrusions frequently begin with alerts that seem routine until examined in broader context.

Proactive defense requires understanding both the technical mechanisms and strategic objectives of threat actors like APT28. By analyzing how the group operates—not just what tools they use but why they choose specific targets and techniques—organizations can develop more effective security postures. The campaign against Outlook represents both a specific threat to address and a case study in modern cyber espionage methodology.