The Microsoft Threat Intelligence Center (MSTIC) has observed and taken actions to disrupt campaigns launched by SEABORGIUM, an actor Microsoft has tracked since 2017. SEABORGIUM is a threat actor that originates from Russia, with objectives and victimology that align closely with Russian state interests. Its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft. SEABORGIUM intrusions have also been linked to hack-and-leak campaigns, where stolen and leaked data is used to shape narratives in targeted countries. While we cannot rule out that supporting elements of the group may have current or prior affiliations with criminal or other nonstate ecosystems, MSTIC assesses that information collected during SEABORGIUM intrusions likely supports traditional espionage objectives and information operations as opposed to financial motivations.
This blog provides insights into SEABORGIUM’s activities and technical methods, with the goal of sharing context and raising awareness about a significant threat to Microsoft customers. MSTIC would like to acknowledge the Google Threat Analysis Group (TAG) and the Proofpoint Threat Research Team for their collaboration on tracking and disrupting this actor. Microsoft’s ability to detect and track SEABORGIUM’s abuse of Microsoft services, particularly OneDrive, has provided MSTIC sustained visibility into the actor’s activities and enabled us to notify impacted customers. As an outcome of these service abuse investigations, MSTIC partnered with abuse teams in Microsoft to disable accounts used by the actor for reconnaissance, phishing, and email collection. Microsoft Defender SmartScreen has also implemented detections against the phishing domains represented in SEABORGIUM’s activities.
SEABORGIUM is a highly persistent threat actor, frequently targeting the same organizations over long periods of time. Once successful, it slowly infiltrates targeted organizations’ social networks through constant impersonation, rapport building, and phishing to deepen their intrusion. SEABORGIUM has successfully compromised organizations and people of interest in consistent campaigns for several years, rarely changing methodologies or tactics. Based on known indicators of compromise and actor tactics, SEABORGIUM overlaps with the threat groups tracked as Callisto Group (F-Secure), TA446 (Proofpoint) and COLDRIVER (Google). Security Service of Ukraine (SSU) has associated Callisto with Gamaredon Group (tracked by Microsoft as ACTINIUM); however, MSTIC has not observed technical intrusion links to support the association.
Since the beginning of 2022, Microsoft has observed SEABORGIUM campaigns targeting over 30 organizations, in addition to personal accounts of people of interest. SEABORGIUM primarily targets NATO countries, particularly the US and the UK, with occasional targeting of other countries in the Baltics, the Nordics, and Eastern Europe. Such targeting has included the government sector of Ukraine in the months leading up to the invasion by Russia, and organizations involved in supporting roles for the war in Ukraine. Despite some targeting of these organizations, Microsoft assesses that Ukraine is likely not a primary focus for this actor; however, it is most likely a reactive focus area for the actor and one of many diverse targets.
Within the target countries, SEABORGIUM primarily focuses operations on defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education. SEABORGIUM has a high interest in targeting individuals as well, with 30% of Microsoft’s nation-state notifications related to SEABORGIUM activity being delivered to Microsoft consumer email accounts. SEABORGIUM has been observed targeting former intelligence officials, experts in Russian affairs, and Russian citizens abroad. As with any observed nation-state actor activity, Microsoft directly notifies customers of Microsoft services that have been targeted or compromised, providing them with the information they need to secure their accounts.
Over many years of tracking, Microsoft has observed a consistent methodology from SEABORGIUM with only slight deviations in their social engineering approaches and in how they deliver the initial malicious URL to their targets. In this section, we provide detailed analysis of SEABORBIUM’s operational tactics as well as several examples of their campaigns.
Before starting a campaign, SEABORGIUM often conducts reconnaissance of target individuals, with a focus on identifying legitimate contacts in the targets’ distant social network or sphere of influence. Based on some of the impersonation and targeting observed, we suspect that the threat actor uses social media platforms, personal directories, and general open-source intelligence (OSINT) to supplement their reconnaissance efforts. MSTIC, in partnership with LinkedIn, has observed fraudulent profiles attributed to SEABORGIUM being used sporadically for conducting reconnaissance of employees from specific organizations of interest. In accordance with their policies, LinkedIn terminated any account (including the one shown below) identified as conducting inauthentic or fraudulent behavior.
SEABORGIUM also registers new email accounts at various consumer email providers, with the email address or alias configured to match legitimate aliases or names of impersonated individuals. While the creation of new consumer accounts is common, we have also observed SEABORGIUM returning to and reusing historical accounts that match the industry of the ultimate target. In one case, we observed SEABORGIUM returning to an account it had not used in a year, indicating potential tracking and reusing of accounts if relevant to targets’ verticals.
After registering new accounts, SEABORGIUM proceeds to establish contact with their target. In cases of personal or consumer targeting, MSTIC has mostly observed the actor starting the conversation with a benign email message, typically exchanging pleasantries before referencing a non-existent attachment while highlighting a topic of interest to the target. It’s likely that this additional step helps the actor establish rapport and avoid suspicion, resulting in further interaction. If the target replies, SEABORGIUM proceeds to send a weaponized email.
MSTIC has also documented several cases where the actor focuses on a more organizational approach to phishing. In these cases, the actor uses an authoritative approach in their social engineering and typically goes to directly sending malicious content.
These examples serve to demonstrate the actors’ capability to be dynamic and to adapt their social engineering approach to gain the trust of their victims.
Microsoft has identified several variations in the way that SEABORGIUM delivers a link that directs targets to their credential stealing infrastructure.
URL in body of email
In the simplest case, SEABORGIUM directly adds a URL to the body of their phishing email. Occasionally, the actor leverages URL shorteners and open redirects to obfuscate their URL from the target and inline protection platforms. The email varies between fake personal correspondence with a hyperlinked text and fake file sharing emails that imitate a range of platforms.
PDF file attachment that contains a URL
MSTIC has observed an increase in the use of attachments in SEABORGIUM campaigns. These attachments typically imitate a file or document hosting service, including OneDrive, and request the user to open the document by clicking a button.
OneDrive link to PDF file that contains a URL
SEABORGIUM also abuses OneDrive to host PDF files that contain a link to the malicious URL. This activity does not represent any security issues or vulnerabilities on the OneDrive platform. The actors include a OneDrive link in the body of the email that when clicked directs the user to a PDF file hosted within a SEABORGIUM-controlled OneDrive account. As seen in the previous example, the victim is presented with what appears to be a failed preview message, enticing the target to click the link to be directed to the credential-stealing infrastructure. Occasionally, SEABORGIUM makes use of open redirects within the PDF file to further disguise their operational infrastructure. In the example below, SEABORGIUM uses a Google URL for redirection.
Regardless of the method of delivery, when the target clicks the URL, the target is directed to an actor-controlled server hosting a phishing framework, most often EvilGinx. On occasion, Microsoft has observed attempts by the actor to evade automated browsing and detonation by fingerprinting browsing behavior. Once the target is redirected to the final page, the framework prompts the target for authentication, mirroring the sign-in page for a legitimate provider and intercepting any credentials. After credentials are captured, the target is redirected to a website or document to complete the interaction.
SEABORGIUM has been observed to use stolen credentials and directly sign in to victim email accounts. Based on our experience responding to intrusions from this actor on behalf of our customers, we have confirmed that the following activities are common:
Based on the specific victimology, documents stolen, conversations fostered, and sustained collection observed, we assess that espionage is likely a key motivation of the actor.
In May 2021, MSTIC attributed an information operation to SEABORGIUM based on observations and technical overlaps with known phishing campaigns. The operation involved documents allegedly stolen from a political organization in the UK that were uploaded to a public PDF file-sharing site. The documents were later amplified on social media via known SEABORGIUM accounts, however MSTIC observed minimal engagement or further amplification. Microsoft was unable to validate the authenticity of the material.
In late May 2022, Reuters along with Google TAG disclosed details about an information operation, specifically using hack and leak, that they attributed to COLDRIVER/SEABORGIUM. Microsoft independently linked SEABORGIUM to the campaign through technical indicators and agrees with the assessment by TAG on the actor responsible for the operation. In the said operation, the actors leaked emails/documents from 2018 to 2022, allegedly stolen from consumer Protonmail accounts belonging to high-level proponents of Brexit, to build a narrative that the participants were planning a coup. The narrative was amplified using social media and through specific politically themed media sources that garnered quite a bit of reach.
While we have only observed two cases of direct involvement, MSTIC is not able to rule out that SEABORGIUM’s intrusion operations have yielded data used through other information outlets. As with any information operation, Microsoft urges caution in distributing or amplifying direct narratives, and urges readers to be critical that the malicious actors could have intentionally inserted misinformation or disinformation to assist their narrative. With this in mind, Microsoft will not be releasing the specific domain or content to avoid amplification.
The techniques used by the actor and described in the “Observed actor activity” section can be mitigated by adopting the security considerations provided below:
For Microsoft Defender for Office 365 Customers:
The below list provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.
| Indicator | Type | Confidence | Public References (if Applicable) |
| cache-dns[.]com | Domain name | High | Google TAG, Sekoia.io |
| cache-dns-forwarding[.]com | Domain name | High | |
| cache-dns-preview[.]com | Domain name | High | |
| cache-docs[.]com | Domain name | High | Sekoia.io |
| cache-pdf[.]com | Domain name | High | |
| cache-pdf[.]online | Domain name | High | |
| cache-services[.]live | Domain name | High | |
| cloud-docs[.]com | Domain name | High | Sekoia.io |
| cloud-drive[.]live | Domain name | High | |
| cloud-storage[.]live | Domain name | High | |
| docs-cache[.]com | Domain name | High | Sekoia.io |
| docs-forwarding[.]online | Domain name | High | |
| docs-info[.]com | Domain name | High | Sekoia.io |
| docs-shared[.]com | Domain name | High | Google TAG, Sekoia.io |
| docs-shared[.]online | Domain name | High | |
| docs-view[.]online | Domain name | High | |
| document-forwarding[.]com | Domain name | High | |
| document-online[.]live | Domain name | High | |
| document-preview[.]com | Domain name | High | |
| documents-cloud[.]com | Domain name | High | Sekoia.io |
| documents-cloud[.]online | Domain name | High | Sekoia.io |
| documents-forwarding[.]com | Domain name | High | Google TAG |
| document-share[.]live | Domain name | High | |
| documents-online[.]live | Domain name | High | |
| documents-pdf[.]online | Domain name | High | Sekoia.io |
| documents-preview[.]com | Domain name | High | Google TAG |
| documents-view[.]live | Domain name | High | |
| document-view[.]live | Domain name | High | |
| drive-docs[.]com | Domain name | High | Sekoia.io |
| drive-share[.]live | Domain name | High | Google TAG, Sekoia.io |
| goo-link[.]online | Domain name | High | |
| hypertextteches[.]com | Domain name | High | Sekoia.io |
| mail-docs[.]online | Domain name | High | |
| officeonline365[.]live | Domain name | High | |
| online365-office[.]com | Domain name | High | |
| online-document[.]live | Domain name | High | |
| online-storage[.]live | Domain name | High | |
| pdf-cache[.]com | Domain name | High | |
| pdf-cache[.]online | Domain name | High | |
| pdf-docs[.]online | Domain name | High | Sekoia.io |
| pdf-forwarding[.]online | Domain name | High | |
| protection-checklinks[.]xyz | Domain name | High | |
| protection-link[.]online | Domain name | High | |
| protectionmail[.]online | Domain name | High | Sekoia.io |
| protection-office[.]live | Domain name | High | Google TAG, Sekoia.io |
| protect-link[.]online | Domain name | High | Google TAG, Sekoia.io |
| proton-docs[.]com | Domain name | High | Sekoia.io |
| proton-reader[.]com | Domain name | High | |
| proton-viewer[.]com | Domain name | High | Google TAG, Sekoia.io |
| relogin-dashboard[.]online | Domain name | High | |
| safe-connection[.]online | Domain name | High | |
| safelinks-protect[.]live | Domain name | High | |
| secureoffice[.]live | Domain name | High | |
| webresources[.]live | Domain name | High | Google TAG |
| word-yand[.]live | Domain name | High | |
| yandx-online[.]cloud | Domain name | High | |
| y-ml[.]co | Domain name | High | |
| docs-drive[.]online | Domain name | Moderate | Sekoia.io |
| docs-info[.]online | Domain name | Moderate | |
| cloud-mail[.]online | Domain name | Moderate | |
| onlinecloud365[.]live | Domain name | Moderate | |
| pdf-cloud[.]online | Domain name | Moderate | Sekoia.io |
| pdf-shared[.]online | Domain name | Moderate | Sekoia.io |
| proton-pdf[.]online | Domain name | Moderate | |
| proton-view[.]online | Domain name | Moderate | Sekoia.io |
| office365-online[.]live | Domain name | Low | |
| doc-viewer[.]com | Domain name | Low | |
| file-milgov[.]systems | Domain name | Low | Sekoia.io |
| office-protection[.]online | Domain name | Low | Sekoia.io |
NOTE: These indicators should not be considered exhaustive for this observed activity.
Intelligence gathered by the Microsoft Threat Intelligence Center (MSTIC) is used within Microsoft security products to provide protection against associated actor activity.
Microsoft Defender for Office offers enhanced solutions for blocking and identifying malicious emails. Signals from Microsoft Defender for Office inform Microsoft 365 Defender, which correlate cross-domain threat intelligence to deliver coordinated defense, when this threat has been detected. These alerts, however, can be triggered by unrelated threat activity. Example alerts:
Aside from the Microsoft Defender for Office 365 alerts above, customers can also monitor for the following Microsoft 365 Defender alerts for this attack. Note that these alerts can also be triggered by unrelated threat activity. Example alerts:
Microsoft 365 Defender customers should also investigate any “Stolen session cookie was used” alerts that would betriggered for adversary-in-the-middle (AiTM) attacks.
Microsoft Defender SmartScreen has implemented detections against the phishing domains represented in the IOC section above.
Microsoft Sentinel customers can run the following advanced hunting queries to locate IOCs and related malicious activity in their environments.
The query below identifies matches based on domain IOCs related to SEABORGIUM actor across a range of common Microsoft Sentinel data sets:
Microsoft 365 Defender customers can run the following advanced hunting queries to locate IOCs and related malicious activity in their environments.
This query identifies matches based on domain IOCs related to SEABORGIUM against Microsoft Defender for Endpoint device network connections
The post Disrupting SEABORGIUM’s ongoing phishing operations appeared first on Microsoft Security Blog.
Posted in Skype for Business
In June 2022 we got a detailed blog post from the Exchange team about the Exchange Server roadmap: “We have moved the release date for the next version of Exchange Server to the second half of 2025. The next version will require Server and CAL licenses and will be accessible only to customers with Software Assurance, similar to the SharePoint Server and Project Server Subscription Editions. We will provide more details on naming, features, requirements, and pricing in the first half of 2024.”
Microsoft had previously announced at Ignite 2020 that all the Office on-premises server products were moving to a subscription model.
So SharePoint Subscription server was released, and Exchange recently explained they were delaying but releasing in the second half of 2025, what about Skype for Business Server vNext?
Previously the plan was for Skype for Business Server 2022, which was originally due in the second half of 2021. Obviously, the pandemic (and Microsoft Teams subsequent massive success and adoption), changed those plans.
Today we got a blog from the Skype for Business team: “We continue to evaluate customer needs for this opportunity and remain committed to supporting Skype for Business Server beyond October 14, 2025, but do not have additional details to share currently.”
The blog reminds customers that Skype for Business Server 2015 is already out of mainstream support, Skype for Business Server 2019 mainstream support ends Jan 9, 2024. Both SfBS 2015 and 2019 are supported on extended support until Oct 14, 2025. This is a paid support option. Though they encourage customers committed to on-premises to move to SfBS 2019.
The Skype for Business blog ends with “Stay tuned to this blog post for future news and announcements about Skype for Business Server”. Being that the post before this was in March 2021, I wouldn’t much more detail anytime soon.
Posted in Skype for Business
For millions of customers around the globe, Microsoft Teams is the preferred communications and collaboration platform, enabling chat, calling, meetings, file sharing, and application integration all from a single, cloud-based application.
However, we understand some customers wish to maintain an on-premises deployment, either as a stand-alone or part of a hybrid configuration with Teams. As such, Microsoft will continue to support Microsoft Lync Server 2013, Skype for Business Server 2015, and Skype for Business Server 2019 through Microsoft’s Fixed Lifecycle Policy that covers customers through Mainstream and Extended Support phases.
|
Product |
Start Date |
Mainstream End Date |
Extended End Date |
|
Jan 25, 2011 |
Apr 10, 2018 |
Apr 11, 2023 |
|
|
Jul 30, 2015 |
Oct 13, 2020 |
Oct 14, 2025 |
|
|
Oct 22, 2018 |
Jan 9, 2024 |
Oct 14, |
Lync Server and Skype for Business Server customers who may be considering a move to the cloud are strongly encouraged to look at Microsoft Teams, our solution for modern work and a core component of most Microsoft 365 subscriptions. Microsoft Teams is where you’ll find our latest innovations to enable modern work for your organization, as well as enterprise-grade accessibility and security. Guidance is available to plan a successful migration from Skype for Business Server 2019 to Teams.
At Ignite 2020, we announced plans for a version-less subscription for an on-premises solution we have been calling “vNext”. We continue to evaluate customer needs for this opportunity and remain committed to supporting Skype for Business Server beyond October 14, 2025, but do not have additional details to share currently. Customers who wish to remain on-premises should plan to upgrade to Skype for Business Server 2019 as this version provides the furthest window for Mainstream Service, the smoothest upgrade to the “vNext” and the easiest path to migrate users to Teams in the future.
End of Support for Skype for Business App SDK
We want to remind customers that along with the retirement of Skype for Business Online in July 2021, the Skype for Business App SDK is no longer supported for either online or on-premises deployments of Skype for Business. We encourage developers using the Skype for Business App SDK to transition to Azure Communication Services (ACS) to enable voice, video, chat, and telephony in your apps along with the ability to join Teams meetings (as a guest).
Stay tuned to this blog post for future news and announcements about Skype for Business Server and be sure to check out the Tech Community Teams Blog for the latest Teams updates.
Posted in Skype for Business
For millions of customers around the globe, Microsoft Teams is the preferred communications and collaboration platform, enabling chat, calling, meetings, file sharing, and application integration all from a single, cloud-based application.
However, we understand some customers wish to maintain an on-premises deployment, either as a stand-alone or part of a hybrid configuration with Teams. As such, Microsoft will continue to support Microsoft Lync Server 2013, Skype for Business Server 2015, and Skype for Business Server 2019 through Microsoft’s Fixed Lifecycle Policy that covers customers through Mainstream and Extended Support phases.
|
Product |
Start Date |
Mainstream End Date |
Extended End Date |
|
Jan 25, 2011 |
Apr 10, 2018 |
Apr 11, 2023 |
|
|
Jul 30, 2015 |
Oct 13, 2020 |
Oct 14, 2025 |
|
|
Oct 22, 2018 |
Jan 9, 2024 |
Oct 14, |
Lync Server and Skype for Business Server customers who may be considering a move to the cloud are strongly encouraged to look at Microsoft Teams, our solution for modern work and a core component of most Microsoft 365 subscriptions. Microsoft Teams is where you’ll find our latest innovations to enable modern work for your organization, as well as enterprise-grade accessibility and security. Guidance is available to plan a successful migration from Skype for Business Server 2019 to Teams.
At Ignite 2020, we announced plans for a version-less subscription for an on-premises solution we have been calling “vNext”. We continue to evaluate customer needs for this opportunity and remain committed to supporting Skype for Business Server beyond October 14, 2025, but do not have additional details to share currently. Customers who wish to remain on-premises should plan to upgrade to Skype for Business Server 2019 as this version provides the furthest window for Mainstream Service, the smoothest upgrade to the “vNext” and the easiest path to migrate users to Teams in the future.
End of Support for Skype for Business App SDK
We want to remind customers that along with the retirement of Skype for Business Online in July 2021, the Skype for Business App SDK is no longer supported for either online or on-premises deployments of Skype for Business. We encourage developers using the Skype for Business App SDK to transition to Azure Communication Services (ACS) to enable voice, video, chat, and telephony in your apps along with the ability to join Teams meetings (as a guest).
Stay tuned to this blog post for future news and announcements about Skype for Business Server and be sure to check out the Tech Community Teams Blog for the latest Teams updates.
Posted in Skype for Business
Posted in Skype for Business
This article discusses the addition of a Group Membership report and a Mailbox Permission report to a PowerShell script aimed at helping to prepare a Tenant-to-Tenant Migration.
— Read on practical365.com/enhancing-your-tenant-to-tenant-migration-powershell-script/
Posted in Skype for Business
This article discusses the addition of a Group Membership report and a Mailbox Permission report to a PowerShell script aimed at helping to prepare a Tenant-to-Tenant Migration.
— Read on practical365.com/enhancing-your-tenant-to-tenant-migration-powershell-script/
Posted in Skype for Business
Debug compose actions and condition steps can be difficult as flow runs will only show the output of your expressions. In this post a workaround, to make this easier.
Before I go into the solution, it will be useful to reintroduce the Try Catch Finally pattern used within this post. It has been a while since I wrote my first Try catch pattern post, 4 year ago, and since then it has been accepted as general best practice within the Power Platform community.
Then the other important element has been described by John Liu in his post about Tracked Properties a while back.
In this post I created an example flow that doesn’t do much. Just a condition and some compose actions. The flow itself is less than useful, however the pattern described can help a lot when you want to debug compose actions or condition steps.
Using the Try Catch Finally pattern , I’m going to collect my debug information in the finally scope. The finally scope will always run, no matter if my flow is successful or if it fails half way through.
To set the tracked properties, go to the Settings option of the action or step.
And then you can specify a property name and an expression that you want to appear within the tracked properties.
So typically for a condition you could include all parts of the expressions as specified within your condition.
Similarly we can also set the tracked properties of the compose actions.
Now that the tracked properties have been configured, we will need a compose action in our Finally scope. In this Finally scope we can add all the Track Properties from our steps inside the flow. With just a simple expression:
actions('Condition')?['TrackedProperties']
Now as we run the flow we will see the following output:
The approach described in this post has some benefits. Traditionally, I would probably just add another compose action above each condition. however all these compose actions clutter my flow and makes it harder to read the flow when all works as expected. With this approach all my debugging information is displayed at the end of the flow, nicely together in one box.
The user interface of tracked properties could probably do with some improvements, maybe one day it will be made easier to enter the expressions. But as we are only copying expressions entered in actions it shouldn’t be too difficult.
Posted in Skype for Business
Additions : 3
Updates : 6
More Details At: www.roadmapwatch.com
| New Features | Current Status | |||
|---|---|---|---|---|
| Microsoft Viva: App type support in the Store for Viva Connections | In Development | |||
| Microsoft Purview | eDiscovery (Premium): eDiscovery guest reviewer | In Development | |||
| Microsoft Purview | Information Protection: Exact Data Match to support 10 primary (searchable or indexed) fields | In Development | |||
| Updated Features | Current Status | Update Type | ||
| Excel: Track tasks with @mentions | Rolling Out | Status | ||
| Excel: Hyperlinks in Modern Comments | Rolling Out | Status | ||
| Microsoft Graph: ServiceNow Tickets Graph Connector | Rolling Out | Status | ||
| Microsoft Teams: Speaker Coach in Microsoft Teams Meetings | Rolling Out | Status | ||
| Microsoft 365 compliance center: Microsoft Purview | eDiscovery (Premium) – Collections and processing enhancement (US Government clouds) | Rolling Out | Status | ||
| Microsoft 365 compliance center: Microsoft Purview | eDiscovery (Premium) – Support for Graph Connectors content | Rolling Out | Status |
Regards
The Author – Blogabout.Cloud
Posted in Skype for Business
In this article, you will learn about Hybrid Modern Authentication and the prerequisites for use with on-premises Skype for Business and Exchange servers.
— Read on docs.microsoft.com/en-us/microsoft-365/enterprise/hybrid-modern-auth-overview
Posted in Skype for Business