Russian Hackers Use Fake Entra Pages to Breach NGOs

A Russian state-linked hacking group known as Void Blizzard, also referred to as Laundry Bear, has compromised more than 20 non-governmental organizations (NGOs) through a phishing campaign that leverages Evilginx, according to Microsoft. The activity, active since at least April 2024, involves the use of fake Microsoft Entra login pages designed to steal user credentials and session cookies, enabling unauthorized access to cloud environments.

Microsoft attributes the campaign to a broader pattern of “worldwide cloud abuse” tied to espionage efforts aligned with Russian government interests. The targets are largely organizations deemed strategically significant to those objectives. The attackers used Evilginx, a man-in-the-middle phishing framework, to bypass multi-factor authentication defenses and gain persistent access to sensitive systems.

The incident highlights growing concerns over the use of advanced phishing kits and cloud-based attack vectors by nation-state actors. Microsoft’s disclosure marks the first public identification of this specific threat cluster linked to Void Blizzard.