I've analyzed a detailed threat report from Microsoft Security Blog focusing on the Void Blizzard threat actor's attack chain. This analysis reveals a sophisticated multi-stage attack process, from initial access through persistent access, with multiple opportunities for detection at each stage. Russia-affiliated threat actor Void Blizzard has emerged as a significant cyber espionage threat targeting critical infrastructure sectors globally. Active since at least 2024, this sophisticated actor employs a multi-stage attack methodology to compromise organizations primarily in telecommunications, IT, and NGO sectors across Europe and North America.
Initial Access via Stolen Credentials
Void Blizzard primarily gains initial access by leveraging stolen credentials - likely purchased from criminal marketplaces that sell data harvested by commodity infostealers. These credentials allow them to access Exchange Online and SharePoint, particularly targeting organizations in critical sectors like government, defense, transportation, media, NGOs, and healthcare.
Detection Opportunities:
- Suspicious Connection to Remote Account
- Azure Login Bypassing Conditional Access Policies
- ProxyLogon MSExchange OabVirtualDirectory
- Exchange PowerShell Snap-Ins Usage
Evolution to Targeted Phishing
In April 2025, the group evolved their tactics to include a targeted AitM (Adversary-in-the-Middle) spear phishing campaign. They created typosquatted domains like "micsrosoftonline
Detection Opportunities:
- Okta FastPass Phishing Detection
- HTTP Request to Low Reputation TLD or Suspicious File Extension
- Bitsadmin to Uncommon TLD
- Suspicious Network Communication With IPFS
Credential Harvesting
When victims scan the QR code in the PDF, they're directed to a fake Microsoft Entra authentication page. Void Blizzard uses the open-source Evilginx framework to steal authentication data, including usernames, passwords, and session cookies through an adversary-in-the-middle attack.
Detection Opportunities:
- Okta FastPass Phishing Detection
- Phishing Pattern ISO in Archive
- Potentially Suspicious Rundll32.EXE Execution of UDL File
Cloud API Abuse
After successfully obtaining credentials, Void Blizzard abuses legitimate cloud APIs such as Exchange Online and Microsoft Graph to access organizational data. They enumerate users' mailboxes, including shared mailboxes, and cloud-hosted files.
Detection Opportunities:
- App Granted Microsoft Permissions
- Suspicious OAuth App File Download Activities
- Mailbox Export to Exchange Webserver
- Exchange PowerShell Snap-Ins Usage
- Powershell Local Email Collection
- App Granted Microsoft Permissions
Bulk Data Collection
The actor automates bulk collection of cloud-hosted data, primarily targeting emails and files. They access not only the compromised user's data but also any mailboxes or file shares that the user has permissions to access, maximizing their information gathering capabilities.
Detection Opportunities:
- Automated Collection Command PowerShell
- Automated Collection Command Prompt
- Suspicious OAuth App File Download Activities
- Powershell Local Email Collection
- Suspicious PowerShell Mailbox Export to Share - PS
- Suspicious PowerShell Mailbox Export to Share
- Mailbox Export to Exchange Webserver
Extended Access and Enumeration
In some cases, Void Blizzard accesses Microsoft Teams conversations via the web client and uses tools like AzureHound to enumerate the compromised organization's Microsoft Entra ID configuration, gathering information about users, roles, groups, applications, and devices to maintain persistence and potentially expand access.
Detection Opportunities:
- Suspicious Teams Application Related ObjectAcess Event
- Microsoft Teams Sensitive File Access By Uncommon Applications
- Potentially Suspicious Command Targeting Teams Sensitive Files
- Renamed Microsoft Teams Execution
- Discovery Using AzureHound
- App Assigned To Azure RBAC/Microsoft Entra Role
- Users Added to Global or Device Admin Roles
Ready to elevate your security capabilities? When you're ready to master how these detections are properly developed, maintained, and deployed at scale, our specialized training programs are designed for security professionals like you. If you want to learn how to build AI agent workflows that automatically map threats based on your existing rulesets—saving time and improving accuracy—reach out today. Our expert-led courses provide the hands-on skills your team needs to stay ahead of evolving threats. Contact us to discuss how our detection engineering and AI security agent training can transform your security operations.