AWS nails Russia's Cozy Bear trying to nick Microsoft creds
APT29 used watering-hole attacks and Cloudflare-mimicking domains to trick Microsoft users into authorizing attacker-controlled devices and gaining access to accounts and data.
Russia-linked APT29 ran a watering hole campaign redirecting visitors to attacker-controlled domains to trick users into authorizing devices via Microsoft's device code authentication flow.