UK ties GRU to stealthy Microsoft 365 credential-stealing malware

UK ties GRU to stealthy Microsoft 365 credential-stealing malware Bill Toulas July 18, 2025 03:39 PM 0 The UK National Cyber Security Centre (NCSC) has formally attributed ‘Authentic Antics’ espionage malware attacks to APT28 (Fancy Bear), a threat actor already linked to Russia’s military intelligence service (GRU). The NCSC revealed in a detailed technical analysis of the Authentic Antics malware dated May 6th that it is stealing credentials and OAuth 2.0 tokens that allow access to a target's email account. The malware was observed in use in 2023 and runs inside the Outlook process and produces multiple Microsoft login prompts in its attempts to intercept the victim's sign-in data and authorization code. The agency says that because Microsoft 365 apps are configurable per tenant, it is possible that sensitive data also works for Exchange Online, SharePoint, and OneDrive. Authentic Antics exfiltrates the stolen data by using the victim’s own Outlook account to send it to an attacker-...