Microsoft has taken to its security blog to shine a light on the company's recent observations in the cybersecurity space, and according to the Redmond company, a known hacking group is now going after US government officials in a series of highly-targeted spear-phishing email waves.

Malicious remote connection
According to Microsoft, the hacking group is Russian government-backed bad actors Midnight Blizzard, which have been on Microsoft's radar since October 22, 2024. Microsoft Threat Intelligence is quite familiar with Midnight Blizzard, as the hacking group targeted Microsoft servers on January 12, 2024, which ended up becoming compromised and Midnight Blizzard gaining access to federal government email accounts, Microsoft's corporate email accounts, and more.
At the time, Microsoft described these attacks by Midnight Blizzard as a "sustained, significant commitment of the threat actor's resources, coordination, and focus." Now, Microsoft has put out a new warning that Midnight Blizzard is sending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors. Microsoft writes this activity is ongoing, and the likely goal of this operation is to collect intelligence.
As for specifics, Microsoft is attempting to thwart the spear-phising campaign by revealing what individuals can look out for. According to the blog post spear-phishing emails within the campaign that were sent to thousands of targets over 100s of organizations contained a "signed Remote Desktop Protocol (RDP) configuration file." This file enabled a connection to be formed with the Midnight Blizzard-controller server.
"In this campaign, the malicious .RDP attachment contained several sensitive settings that would lead to significant information exposure. Once the target system was compromised, it connected to the actor-controlled server and bidirectionally mapped the targeted user's local device's resources to the server. Resources sent to the server may include, but are not limited to, all logical hard disks, clipboard contents, printers, connected peripheral devices, audio, and authentication features and facilities of the Windows operating system, including smart cards.
This access could enable the threat actor to install malware on the target's local drive(s) and mapped network share(s), particularly in AutoStart folders, or install additional tools such as remote access trojans (RATs) to maintain access when the RDP session is closed. The process of establishing an RDP connection to the actor-controlled system may also expose the credentials of the user signed in to the target system," warned Microsoft