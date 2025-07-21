Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

Readers help support Windows Report. We may get a commission if you buy through our links.

Russian state-backed hackers are reportedly targeting Microsoft 365 users. According to the UK’s National Cyber Security Centre (NCSC), a stealthy malware called Authentic Antics is being used in targeted attacks that focus on stealing login credentials and tokens from services like Outlook, SharePoint, and OneDrive.

The malware has been linked to APT28, also known as Fancy Bear or Forest Blizzard, a threat actor tied to Russia’s military intelligence agency, the GRU. While the malware was first detected in 2023, it’s now being publicly linked to this group for the first time.

How it works

NCSC explains that Authentic Antics likely spreads through phishing emails or malicious Outlook add-ins. Once installed, it quietly waits for the right moment to trick users with fake Microsoft login windows that look almost identical to the real ones.

These popups are highly selective; they’ll only appear on PCs APT28 is specifically targeting. If a victim enters their credentials, the malware sends them to the hackers via the victim’s email inbox. To avoid detection, the malware even deletes the sent messages afterward.

Who’s being targeted?

The campaign appears to focus on organizations supporting Ukraine, including:

Tech firms using Microsoft’s cloud services

NATO government agencies

Logistics and transport companies

Border infrastructure like smart cameras tracking shipments

Moreover, it’s worth noting that the UK government has responded by sanctioning 18 GRU officers and three military units involved in the operation.