Amazon’s threat intelligence team has thwarted a watering hole attack which sought to exploit Microsoft authentication flows.
The campaign was attributed to the Russian nation-state aligned group, APT29.
In a post published on August 29, CJ Moses, Amazon’s CISO, shared details of the campaign, which his team identified after discovering domain names controlled by APT29.
A watering hole attack is a targeted cyber campaign in which hackers compromise a website commonly visited by a specific user group and redirect users to malicious infrastructure. The aim is to deliver malware, harvest credentials or conduct cyber espionage.
In this case, Amazon identified various legitimate websites that were compromised with JavaScript code that redirected approximately 10% of visitors to APT29-controlled domains.
The goal was to trick users into authorizing attacker-controlled devices through Microsoft’s device code authentication flow.
These domains, including findcloudflare[.]com, mimicked Cloudflare verification pages to appear legitimate.
“There was no compromise of Amazon Web Services (AWS) systems, nor was there a direct impact observed on AWS services or infrastructure,” Moses wrote.
The code analysis revealed multiple evasion techniques designed to avoid detection, including randomized redirections, base64 encoding and persistent cookies.
Additionally, when defenses blocked the malicious infrastructure, the threat actors quickly pivoted to new domains and servers, maintaining operational resilience.
APT29 Expands Targeting Beyond Government Members
APT29 is an established cyber threat group known by many names, including Midnight Blizzard, Cozy Bear, Nobelium and The Dukes.
Believed to be linked to Russia’s foreign intelligence service (SVR), APT29 has been active since at least 2013.
The group is known for specializing in espionage and intelligence-gathering operations against governments and critical industries but has recently been observed expanding its target scope.
It was reportedly involved in several spear phishing campaigns including a wine tasting-themed phishing attack targeting European diplomats in April 2025 and a campaign targeting Keir Giles, a British expert on Russian information operations, in June 2025.
According to Amazon’s threat intelligence team, this new watering hole attack “illustrates APT29’s continued evolution in scaling their operations to cast a wider net in their intelligence collection efforts.”
