Void Blizzard: The New Russian Threat Actor Targeting M365 Emails and Files

Microsoft and CrowdStrike recently uncovered a new Russian threat actor dubbed Void Blizzard, specializing in rapid exfiltration of sensitive emails and files from Microsoft 365 (M365) environments. Unlike traditional Business Email Compromise (BEC) attacks, Void Blizzard operates with alarming speed—sometimes completing an attack in just 10 seconds.

How Void Blizzard Operates

1. Initial Access:

• Attackers log in via compromised credentials, often from suspicious remote IPs (e.g., Netherlands-based Oxide Group Limited).
• No rogue apps or inbox rules—making detection harder.

2. Automated Data Exfiltration:

• Within 5 seconds, attackers search and download emails containing trade secrets, financial data, or sensitive communications.
• Targets old emails (sometimes over a year old).

3. Rapid Exit:

• Attackers leave minimal forensic traces, mimicking AitM (Adversary-in-the-Middle) threats.

You Should Know: Detecting and Mitigating Void Blizzard Attacks

1. Monitor Suspicious M365 Logins

Use Microsoft Sentinel or PowerShell to track unusual login locations:

Get-AzureADAuditSignInLogs -Filter "createdDateTime gt $((Get-Date).AddHours(-24))" | 
Where-Object { $_.Location.Country -ne "US" } | 
Select-Object UserPrincipalName, IPAddress, Location, CreatedDateTime

1. Enable Unified Audit Log (UAL) in Exchange Online

   Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
   

3. Hunt for Rapid File Access Patterns

Use KQL (Kusto Query Language) in Microsoft Defender:

OfficeActivity 
| where Operation in ("FileDownloaded", "EmailAccessed") 
| summarize Count=count(), TimeDiff=max(TimeGenerated) - min(TimeGenerated) by UserId 
| where TimeDiff < 30s and Count > 10 

4. Implement Conditional Access Policies

• Block logins from untrusted countries.
• Enforce MFA for all sensitive roles.

5. Check for Suspicious SharePoint Activity

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -Operations "FileDownloaded" -ResultSize 1000 | 
Where-Object { $<em>.UserId -like "@domain.com" } | 
Group-Object UserId | 
Where-Object { $</em>.Count -gt 50 }

What Undercode Say

Void Blizzard represents a shift towards hyper-automated, low-footprint attacks that bypass traditional SOC detection. Organizations must:
– Monitor real-time M365 activity logs—not just SIEM alerts.
– Assume credential compromise—implement Zero Trust.
– Use behavioral analytics (UEBA) to detect abnormal access patterns.

Prediction

Expect more AI-driven, sub-30-second attacks in 2024 as threat actors refine automation. Companies lagging in real-time log analysis will suffer the most.

Expected Output:

• Microsoft’s Void Blizzard Report: Link
• CrowdStrike’s Analysis: Link
• MITRE ATT&CK Mapping: Link

This post combines cybersecurity insights with actionable detection methods, ensuring defenders stay ahead of Void Blizzard’s rapid attacks.

IT/Security Reporter URL:

Reported By: Theonejvo No – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram