A Digital Watering Hole: How Russia’s APT29 Is Abusing Microsoft Auth Flow

Amazon’s threat intelligence team has identified and disrupted a watering hole campaign conducted by APT29 (also known as Midnight Blizzard), a threat actor linked to Russia’s Foreign Intelligence Service (SVR). The operation leveraged compromised websites to redirect unsuspecting visitors into a credential harvesting scheme abusing Microsoft’s device code authentication flow.

According to Amazon, “Our investigation uncovered an opportunistic watering hole campaign using compromised websites to redirect visitors to malicious infrastructure designed to trick users into authorizing attacker-controlled devices through Microsoft’s device code authentication flow.” This marks a continuation of APT29’s focus on intelligence collection, but with new refinements in delivery.

The group’s tradecraft has been evolving steadily. In October 2024, Amazon disrupted their use of domains impersonating AWS to phish users with malicious RDP files. By June 2025, Google’s Threat Intelligence Group observed APT29 phishing academics and Russian critics using application-specific passwords (ASPs). The current campaign, however, demonstrates a shift toward scalable tactics that exploit trust in legitimate websites.

As the report notes, APT29’s evolution is evident in their ability to:

• Compromise legitimate websites and initially inject obfuscated JavaScript
• Rapidly adapt infrastructure when faced with disruption
• Adjust from use of JavaScript redirects to server-side redirects on new infrastructure

Amazon’s detection analytics flagged malicious infrastructure tied to APT29, revealing domains that mimicked Cloudflare verification pages. The report explains, “Through further investigation, Amazon identified the actor compromised various legitimate websites and injected JavaScript that redirected approximately 10% of visitors to these actor-controlled domains.” One such domain was findcloudflare[.]com, which attempted to appear authentic while serving malicious redirects.

Analysis of the malicious code uncovered several evasion techniques, including:

• Randomizing redirection to only a fraction of visitors
• Using Base64 encoding to conceal injected scripts
• Setting cookies to prevent repeated redirects of the same target

Ultimately, the infrastructure aimed to manipulate Microsoft’s device code authentication flow, tricking victims into granting access tokens to attacker-controlled devices.

Upon discovery, Amazon acted swiftly. “Amazon worked quickly to isolate affected EC2 instances, partner with Cloudflare and other providers to disrupt the actor’s domains, and share relevant information with Microsoft.” Even after APT29 shifted infrastructure off AWS and registered new domains such as cloudflare[.]redirectpartners[.]com, Amazon continued to track and disrupt their operations.

Importantly, Amazon confirmed that “there was no compromise of AWS systems, nor was there a direct impact observed on AWS services or infrastructure.” This highlights the operation’s opportunistic nature rather than a direct cloud service intrusion.

Related Posts:

• APT29’s Espionage Campaign Exploits WinRAR Flaw, Targets Embassies
• APT29 Strikes German Politics with WINELOADER Malware Assault
• North Korean Cyber Espionage Group Kimsuky Exploits University Website in Watering Hole Attack
• Google TAG Uncovers Watering Hole Attacks on Mongolian Government Websites