Malicious Email Campaign by NOBELIUM

Microsoft has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds. The phishing campaign has targeted around 3,000 individual accounts across more than 150 organisations linked to government agencies, think tanks, consultants, and non-governmental organisations. 

This new wide-scale malicious email campaign leverages the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organisation to distribute malicious links through phishing emails that looked authentic. Most of the malicious emails have been blocked by automated email threat detection systems and marked as spam. However, some automated systems may have successfully delivered some of the earlier emails to recipients either due to configuration and policy settings, or prior to detections being in place.

In the recent attacks observed, if the targeted users clicked on the link in the email, a malicious payload is then delivered to the target's computer. Successful execution of the malicious payload could allow attackers to perform malicious activities such as data exfiltration and the delivery of additional malware.

Organisations are advised to monitor their networks and systems for any suspicious activity, and adopt the following measures to reduce the impact of this threat: 

• Turn on cloud-delivered protection in your anti-virus software to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.

• Run Endpoint Detection and Response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft anti-virus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode (EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.).

• Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the Internet.

• Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.

• Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.

• Enable multifactor authentication (MFA) to mitigate compromised credentials. 

• Turn on the following attack surface reduction rule to block or audit activity associated with this threat: Block all Office applications from creating child processes.

To detect the malicious emails, administrators can scan for the following Indicators Of Compromise (IOCs):

Table 1: Indicators of Compromise

• Administrators are encouraged to visit this site regularly to check for updates

• More information is available at