Amazon’s threat intelligence team has successfully identified and disrupted a sophisticated watering hole campaign in June 2025, attributed to the Russian state-sponsored threat group APT29, also known as Midnight Blizzard and Cozy Bear1. The operation aimed to gain unauthorized access to Microsoft 365 accounts to exfiltrate data for intelligence purposes. This incident, detailed by Amazon CISO CJ Moses on the AWS Security Blog, represents a significant evolution in the group’s tradecraft, illustrating their intention to cast a wider net in their intelligence collection efforts beyond traditional government targets2.
The campaign’s discovery and subsequent takedown involved a coordinated effort with industry partners Cloudflare and Microsoft. Amazon confirmed its own infrastructure and services, including AWS, were not compromised during the operation3. This action is part of a continuous pattern of activity from APT29, which includes recent campaigns against European embassies, Hewlett Packard Enterprise (HPE), and TeamViewer, and is attributed to Russia’s Foreign Intelligence Service (SVR)4.
Attack Methodology and Technical Evolution
APT29 employed a multi-stage attack that leveraged trusted services to maximize its effectiveness and stealth. The group initially compromised legitimate websites and injected obfuscated, Base64-encoded JavaScript into them. A key evasion technique involved the use of a cookie-based system and randomization to redirect only approximately 10% of a site’s visitors, a method designed to reduce the chance of detection and analysis by security tools and researchers5. This selective targeting demonstrates a calculated effort to maintain operational security while still reaching a sufficient number of high-value targets.
Users who were redirected landed on convincing, spoofed Cloudflare verification pages hosted on domains such as `findcloudflare[.]com` and `cloudflare[.]redirectpartners[.]com`. The ultimate objective of these fake pages was to trick users into authorizing an attacker-controlled device via Microsoft’s device code OAuth flow. This technique is particularly dangerous as it can grant persistent access to the victim’s account and has the potential to bypass some multi-factor authentication (MFA) protections by presenting the user with a seemingly legitimate login prompt that appears within the trusted Microsoft ecosystem6.
According to Amazon’s analysis, this campaign shows a marked evolution in APT29’s tradecraft, moving beyond previous methods like AWS domain impersonation. Key refinements observed included rapid adaptation and deployment of new infrastructure when existing domains and servers were disrupted. The group also adjusted its tactics, shifting from client-side JavaScript redirects to more stealthy server-side redirects on new infrastructure to avoid detection. The persistent use of encoding to hide malicious code and cookies to prevent re-redirecting the same user were central to their evasion strategy7.
Disruption and Collaborative Response
Upon discovering the campaign, Amazon’s response was swift and comprehensive. The company isolated the malicious EC2 instances hosting the operation, effectively cutting off the attackers’ primary infrastructure. Recognizing the multi-faceted nature of the threat, Amazon partnered directly with Cloudflare and Microsoft to take down the identified malicious domains that were central to the phishing operation8. This collaborative approach was essential for a effective disruption, as it addressed the problem at multiple points within the attack chain.
The disruption did not mark the end of the engagement. Amazon’s team tracked the group’s attempt to migrate its infrastructure to another cloud provider and register new domains, which were subsequently also disrupted in a continued effort to neutralize the threat. This persistence in pursuing migrating infrastructure highlights the challenges of dealing with a well-resourced adversary group that maintains redundant systems and contingency plans. The confirmation that Amazon’s own infrastructure remained secure throughout this process is a critical detail for organizations relying on AWS services9.
Contextual Timeline and Mitigation Strategies
This incident is not an isolated event but rather part of a continuous and evolving pattern of activity from APT29. In October 2024, Amazon disrupted an earlier APT29 campaign that used domains impersonating AWS to deliver malicious RDP files. By February 2025, Microsoft and Volexity had warned of APT29 using device code phishing techniques, indicating a refinement of methods that culminated in the June 2025 campaign. Between April and June 2025, parallel campaigns targeted European diplomats and Russia experts, while Google separately reported APT29 exploiting Gmail’s “app-specific password” feature, showing the group’s broad targeting across multiple platforms10.
For end users, vigilance is the first line of defense. They should be wary of unexpected redirects to security or verification pages and must scrutinize all device authorization requests in Microsoft portals before approving them, verifying the device name and location. Enabling MFA on all accounts provides an additional layer of security, though as this campaign shows, it is not foolproof. Users should also avoid copying and executing commands from web pages, a technique sometimes known as “ClickFix” that can lead to system compromise11.
For IT administrators, more technical controls are available. They should consider disabling the device code authentication flow entirely if it is not required for their specific environment, as this removes the attack vector altogether. Implementing Conditional Access Policies that mandate device compliance, trusted locations, and specific sign-in risk levels can significantly reduce the attack surface. Perhaps most importantly, organizations must implement robust monitoring and alerting for authentication events, with particular attention to new device authorizations, which could indicate a successful phishing attempt12.
Conclusion
The disruption of APT29’s watering hole campaign by Amazon represents a significant defensive action against a sophisticated state-sponsored threat group. The operation highlights the continuous evolution of adversary tradecraft, particularly in the use of cloud services and authentication mechanisms for malicious purposes. The collaboration between Amazon, Cloudflare, and Microsoft demonstrates the importance of industry partnerships in combating threats that span multiple platforms and services.
This incident serves as a reminder that even robust security measures like multi-factor authentication can be circumvented through sophisticated social engineering and technical exploits. Organizations must maintain a defense-in-depth approach that combines technical controls, user education, and continuous monitoring. The tactics, techniques, and procedures (TTPs) used in this campaign will likely be adopted by other threat actors, making the sharing of threat intelligence and mitigation strategies increasingly important for the security community.
References
- CJ Moses, “Amazon disrupts watering hole campaign by Russia’s APT29,” AWS Security Blog, [Online]. Available: https://aws.amazon.com/blogs/security/amazon-disrupts-watering-hole-campaign-by-russias-apt29/
- “Amazon disrupts Russian APT29 hackers targeting Microsoft 365,” BleepingComputer, [Online]. Available: https://www.bleepingcomputer.com/news/security/amazon-disrupts-russian-apt29-hackers-targeting-microsoft-365/
- “Amazon Disrupts APT29 Watering Hole Campaign Targeting Microsoft 365 Users,” The Hacker News, [Online]. Available: https://thehackernews.com/2025/08/amazon-disrupts-apt29-watering-hole.html
- “Amazon Disrupts Russian Hacking Campaign Targeting Microsoft Users,” SecurityWeek, [Online]. Available: https://www.securityweek.com/amazon-disrupts-russian-hacking-campaign-targeting-microsoft-users/
- “Amazon foils Russian APT29 watering hole campaign,” Infosecurity Magazine, [Online]. Available: https://www.infosecurity-magazine.com/news/amazon-russian-apt29-watering-hole/
- “Amazon says it stopped Russian hackers targeting Microsoft logins as Cozy Bear strikes again,” TechRadar, [Online]. Available: https://www.techradar.com/pro/security/amazon-says-it-stopped-russian-hackers-targeting-microsoft-logins-as-cozy-bear-strikes-again
- A. Merzer, “Amazon disrupts Russian APT29 hackers targeting Microsoft 365,” LinkedIn, [Online]. Available: https://www.linkedin.com/posts/arielmerzer_amazon-disrupts-russian-apt29-hackers-targeting-activity-7368842129885937664-glq5
- The Cyber Security Hub™, “Amazon disrupts Russian APT29 hackers targeting Microsoft 365,” Instagram, [Online]. Available: https://www.instagram.com/p/DOEKE0RiK2A/
