Microsoft report on a sustained phishing campaign by the SEABORGIUM threat actor
The Microsoft Threat Intelligence Center (MSTIC) has observed and taken actions to disrupt campaigns launched by SEABORGIUM, an actor Microsoft has tracked since 2017. SEABORGIUM is a threat actor that originates from Russia, with objectives and victimology that align closely with Russian state interests. Its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft. SEABORGIUM intrusions have also been linked to hack-and-leak campaigns, where stolen and leaked data is used to shape narratives in targeted countries.
Microsoft cannot rule out that supporting elements of the group may have current or prior affiliations with criminal or other nonstate ecosystems, MSTIC assesses that information collected during SEABORGIUM intrusions likely supports traditional espionage objectives and information operations as opposed to financial motivations.
SEABORGIUM is a highly persistent threat actor, frequently targeting the same organizations over long periods of time. Once successful, it slowly infiltrates targeted organizations’ social networks through constant impersonation, rapport building, and phishing to deepen their intrusion. SEABORGIUM has successfully compromised organizations and people of interest in consistent campaigns for several years, rarely changing methodologies or tactics.
Indicators of compromise (IOCs)
The below list provides IOCs observed during Microsoft’s investigation. Microsoft encourage customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.
| Indicator | Type | Confidence | Public References (if Applicable) |
| cache-dns[.]com | Domain name | High | Google TAG, Sekoia.io |
| cache-dns-forwarding[.]com | Domain name | High | |
| cache-dns-preview[.]com | Domain name | High | |
| cache-docs[.]com | Domain name | High | Sekoia.io |
| cache-pdf[.]com | Domain name | High | |
| cache-pdf[.]online | Domain name | High | |
| cache-services[.]live | Domain name | High | |
| cloud-docs[.]com | Domain name | High | Sekoia.io |
| cloud-drive[.]live | Domain name | High | |
| cloud-storage[.]live | Domain name | High | |
| docs-cache[.]com | Domain name | High | Sekoia.io |
| docs-forwarding[.]online | Domain name | High | |
| docs-info[.]com | Domain name | High | Sekoia.io |
| docs-shared[.]com | Domain name | High | Google TAG, Sekoia.io |
| docs-shared[.]online | Domain name | High | |
| docs-view[.]online | Domain name | High | |
| document-forwarding[.]com | Domain name | High | |
| document-online[.]live | Domain name | High | |
| document-preview[.]com | Domain name | High | |
| documents-cloud[.]com | Domain name | High | Sekoia.io |
| documents-cloud[.]online | Domain name | High | Sekoia.io |
| documents-forwarding[.]com | Domain name | High | Google TAG |
| document-share[.]live | Domain name | High | |
| documents-online[.]live | Domain name | High | |
| documents-pdf[.]online | Domain name | High | Sekoia.io |
| documents-preview[.]com | Domain name | High | Google TAG |
| documents-view[.]live | Domain name | High | |
| document-view[.]live | Domain name | High | |
| drive-docs[.]com | Domain name | High | Sekoia.io |
| drive-share[.]live | Domain name | High | Google TAG, Sekoia.io |
| goo-link[.]online | Domain name | High | |
| hypertextteches[.]com | Domain name | High | Sekoia.io |
| mail-docs[.]online | Domain name | High | |
| officeonline365[.]live | Domain name | High | |
| online365-office[.]com | Domain name | High | |
| online-document[.]live | Domain name | High | |
| online-storage[.]live | Domain name | High | |
| pdf-cache[.]com | Domain name | High | |
| pdf-cache[.]online | Domain name | High | |
| pdf-docs[.]online | Domain name | High | Sekoia.io |
| pdf-forwarding[.]online | Domain name | High | |
| protection-checklinks[.]xyz | Domain name | High | |
| protection-link[.]online | Domain name | High | |
| protectionmail[.]online | Domain name | High | Sekoia.io |
| protection-office[.]live | Domain name | High | Google TAG, Sekoia.io |
| protect-link[.]online | Domain name | High | Google TAG, Sekoia.io |
| proton-docs[.]com | Domain name | High | Sekoia.io |
| proton-reader[.]com | Domain name | High | |
| proton-viewer[.]com | Domain name | High | Google TAG, Sekoia.io |
| relogin-dashboard[.]online | Domain name | High | |
| safe-connection[.]online | Domain name | High | |
| safelinks-protect[.]live | Domain name | High | |
| secureoffice[.]live | Domain name | High | |
| webresources[.]live | Domain name | High | Google TAG |
| word-yand[.]live | Domain name | High | |
| yandx-online[.]cloud | Domain name | High | |
| y-ml[.]co | Domain name | High | |
| docs-drive[.]online | Domain name | Moderate | Sekoia.io |
| docs-info[.]online | Domain name | Moderate | |
| cloud-mail[.]online | Domain name | Moderate | |
| onlinecloud365[.]live | Domain name | Moderate | |
| pdf-cloud[.]online | Domain name | Moderate | Sekoia.io |
| pdf-shared[.]online | Domain name | Moderate | Sekoia.io |
| proton-pdf[.]online | Domain name | Moderate | |
| proton-view[.]online | Domain name | Moderate | Sekoia.io |
| office365-online[.]live | Domain name | Low | |
| doc-viewer[.]com | Domain name | Low | |
| file-milgov[.]systems | Domain name | Low | Sekoia.io |
| office-protection[.]online | Domain name | Low | Sekoia.io |
NOTE: These indicators should not be considered exhaustive for this observed activity.
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.
Pingback: Microsoft report on a sustained phishing campaign by the SEABORGIUM threat actor - Shadownews