Skip to Content

APT 29’s Slack abuse

Updated on 2022-12-01: APT 29’s Slack abuse

Chinese security firm QiAnXin has a report out detailing a recent APT29 campaign targeting Italy, where the Russian hacking group has deployed versions of the EnvyScout malware. QiAnXin notes that the attacks used collaboration platform Slack as a C&C channel and payload delivery system. Previously, APT29 used enterprise apps Dropbox and Trello in a similar fashion. Read more: 被滥用的Slack服务:APT29针对意大利的攻击活动分析

Updated on 2022-11-10

Researchers found that the Russia-linked APT29 cyberespionage gang abused Credential Roaming, a Windows feature, to phish a European diplomatic entity earlier this year. Read more: They See Me Roaming: Following APT29 by Taking a Deeper Look at Windows Credential Roaming

Updated on 2022-11-09: APT29

Mandiant has a technical report out on how the Russian state-sponsored group APT29 has abused a feature called Windows Credential Roaming in a recent attack against a European diplomatic entity. Read more:

Overview: Mandiant: Russian Hackers are Targeting Microsoft 365 Accounts

In a blog post, Mandiant highlights some tactics, techniques, and procedures (TTPs) the APT29 espionage group is using to target Microsoft 365 accounts. The hackers, who have ties to Russia’s government, have been observed disabling licenses, taking over dormant accounts, and focusing on operational security.


  • Not just Russian hackers, but pretty much anybody in the cybercrime game is going after Microsoft 365 accounts. Just like for any cloud-based service, 2FA is a must and accounts as well as account configurations need to be carefully audited, even if you are not in the cross hairs of nation state attackers.
  • They are disabling logging, such as Purview Audit (formerly Advanced Audit) which is required to enable the Mail Items Accessed audit which is a very effective tool for determining specific accesses to Mail items. Make sure that you’ve enabled MFA for _ALL_ accounts, including dormant/disabled accounts. Make sure the MFA self-enrollment process leverages features such as conditional access to ensure an adversary who guesses credentials isn’t able to self-enroll before the legitimate user can. When considering MS 365 security, don’t underestimate the skills of possible attackers.


Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.