{ "id": "0e1e19ee-224b-482e-bbb1-b9b7846eae6a", "created_at": "2026-04-06T00:18:53.604049Z", "updated_at": "2026-04-10T03:37:49.749863Z", "deleted_at": null, "sha1_hash": "ddfa18cbecd6285746a58d6aa34832e076113306", "title": "STRONTIUM: Detecting new patterns in credential harvesting | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 169053, "plain_text": "STRONTIUM: Detecting new patterns in credential harvesting |\r\nMicrosoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2020-09-10 · Archived: 2026-04-05 13:07:47 UTC\r\nMicrosoft has tied STRONTIUM to a newly uncovered pattern of Office365 credential harvesting activity aimed\r\nat US and UK organizations directly involved in political elections. Analysts from Microsoft Threat Intelligence\r\nCenter (MSTIC) and Microsoft Identity Security have been tracking this new activity since April 2020. Credential\r\nharvesting is a known tactic used by STRONTIUM to obtain valid credentials that enable future surveillance or\r\nintrusion operations. Subsequent analysis revealed that between September 2019 and June 2020, STRONTIUM\r\nlaunched credential harvesting attacks against tens of thousands of accounts at more than 200 organizations. In the\r\ntwo weeks between August 18 and September 3, the same attacks targeted 6,912 accounts belonging to 28\r\norganizations. None of these accounts were successfully compromised.\r\nNot all the targeted organizations were election-related. However, we felt it important to highlight a potential\r\nemerging threat to the 2020 US Presidential Election and future electoral contests in the UK.\r\nMicrosoft CVP Customer Security and Trust, Tom Burt provided some additional details on this campaign in his\r\nrecent On The Issues blog post. The purpose of this post is to provide defenders in any organization, but especially\r\nthose directly or indirectly affiliated with electoral systems, insight into the technical nature of this activity. By\r\nproviding these details, we hope to enable better defense against future attacks and share best practices for\r\nsecuring cloud environments against this type of activity.\r\nTactical Details\r\nSTRONTIUM relied heavily upon spear phishing in its credential harvesting efforts leading up to the 2016 US\r\npresidential election. In 2016, spear-phishing was the most common tactic for stealing credentials from targeted\r\naccounts. This time around, STRONTIUM appears to be taking a different approach, namely, brute-force/password-spray tooling. This shift in tactics, also made by several other nation-state actors, allows them to\r\nexecute large-scale credential harvesting operations in a more anonymized manner. The tooling STRONTIUM is\r\nusing routes its authentication attempts through a pool of approximately 1,100 IPs, the majority associated with\r\nthe Tor anonymizing service. This pool of infrastructure has evolved over time, with an average of approximately\r\n20 IPs added and removed from it per day. STRONTIUM’s tooling alternates its authentication attempts amongst\r\nthis pool of IPs approximately once per second. Considering the breadth and speed of this technique, it seems\r\nlikely that STRONTIUM has adapted its tooling to use an anonymizer service to obfuscate its activity, evade\r\ntracking, and avoid attribution.\r\nDuring the two-week period, August 19 – September 3, STRONTIUM’s credential harvesting tooling utilized a\r\ndaily average of 1,294 IPs associated with 536 netblocks and 273 ASNs. Of these netblocks, some were much\r\nmore heavily utilized by the tooling than others, both in terms of the total number of authentications attempted\r\nhttps://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/\r\nPage 1 of 4\n\nfrom them and the total number of IPs utilized within them. Figure 1 below represents the 5 netblocks from which\r\nthe highest number of total auth attempts were observed. As highlighted in the table, several of these netblocks\r\nhad much higher IP utilization rates than the rest. This observed behavior indicates that the underlying\r\nanonymization services providing the infrastructure backbone for STRONTIUM auth attempts are, in a sense,\r\nover-serving IPs in these specific netblocks.\r\nFigure 1: Highest volume netblocks used in STRONTIUM auth attempts.\r\nThe fact that the anonymization service is over-serving specific netblocks gives defenders an opportunity to hunt\r\nfor activity associated both with this STRONTIUM activity or other malicious tooling that is utilizing the same\r\nanonymization service. The following Azure Sentinel query (GitHub link) is designed to identify failed\r\nauthentication attempts from the three highest-signal, highest-utilization netblocks highlighted above, and group\r\nthe results by UserAgent.\r\nMicrosoft Threat Protection (MTP) also provides a platform for users to identify failed authentication attempts.\r\nThe following query will give MTP users the ability to hunt and address these threats as well:\r\nhttps://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/\r\nPage 2 of 4\n\nMSTIC has observed that the STRONTIUM tooling operates in two modes when targeting accounts: brute-force\r\nand password-spray.\r\nIn password-spray mode, the tooling attempts username: password combinations in a ‘low-‘n-slow’ manner.\r\nOrganizations targeted by the tooling running in this mode typically see approximately four authentication\r\nattempts per hour per targeted account over the course of several days or weeks, with nearly every attempt\r\noriginating from a different IP address.\r\nIn brute-force mode, the tooling attempts many username: password attempts very rapidly for a much shorter\r\ntime period. Organizations targeted by the tooling running in this mode typically see over 300 authentication\r\nattempts per hour per targeted account over the course of several hours or days.\r\nTooling\r\nOperating\r\nMode\r\nAvg ## of Attempts\r\nPer Account Per\r\nHour\r\nAvg # Of IPs Utilized for\r\nAuth Attempts Per Account\r\nPer Hour\r\nAvg Length\r\nof Attack\r\nPassword-Spray 4 4 Days-Weeks\r\nBrute-Force 335 200 Hours-Days\r\nOrganizations targeted by STRONTIUM using this tooling saw auth attempts against an average of 20% of their\r\ntotal accounts. In some instances, MSTIC assesses the tooling may have discovered these accounts simply by\r\nattempting authentications against a large number of possible account names until it found ones that were valid.\r\nGuidance: Proactive defense \r\nThere are some very simple steps businesses and targeted individuals can take to significantly improve the\r\nsecurity of their accounts and make these types of attacks much more difficult.\r\n1. Enable multi-factor authentication\r\nWe have seen clear proof that enabling multi-factor authentication (MFA) across both business and personal email\r\naccounts successfully thwarts the majority of credential harvesting attacks. Our colleagues in Azure Active\r\nDirectory put it more precisely—\r\n“… doing any form of MFA takes you out of reach of most attacks. MFA (using any mechanism) is just\r\ntoo costly to break – unless a highly motivated attacker is after that high-value account or asset.”\r\nhttps://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/\r\nPage 3 of 4\n\nBlog: Your password doesn’t matter—but MFA does!\r\nHowever, most enterprise accounts have not implemented this simple protection:\r\n“When we evaluate all the tokens issued with MFA claims, we see that less than 10% of users use MFA\r\nper month in our enterprise accounts (and that includes on-premises and third-party MFA). Until MFA\r\nis more broadly adopted, there is little reason for attackers to evolve.”\r\nBlog: All your creds are belong to us!\r\n2. Actively monitor failed authentications\r\nWhen monitoring login activity in your accounts, look for any type of discernable patterns in these failed\r\nauthentications and track them over time. Password spray is an increasingly common tactic of nation-state actors.\r\nYou can also maintain broader visibility into behavioral anomalies like failed login attempts by running detections\r\nand monitoring using Microsoft Cloud App Security (MCAS) which monitors user sessions for third-party cloud\r\napps, including G-Suite, AWS, and Salesforce. The MCAS detection engine looks for anomalous user activity for\r\nindicators of compromise. One indicator, “multiple failed login attempts,” can be used to create a dynamic\r\nbaseline per user, across the tenant, and alert on anomalous login behavior that may represent an active brute force\r\nor password spray attack.\r\nMicrosoft Threat Protection (MTP) can help to automatically track and rebuild the Incident view of all the\r\ncompromised identities by password-spray leveraged later by the attacker to expand the breach to endpoint or\r\ncloud assets.\r\n3. Test your organization’s resilience\r\nAttack Simulator in Office 365 ATP lets you run realistic, but simulated phishing and password attack campaigns\r\nin your organization. Pick a password and then run the campaign against as many users as you want. The results\r\nwill let you know how many people are using that password. Use the data to train users and build your custom list\r\nof banned passwords.\r\nSource: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/\r\nhttps://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/" ], "report_names": [ "strontium-detecting-new-patters-credential-harvesting" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434733, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ddfa18cbecd6285746a58d6aa34832e076113306.pdf", "text": "https://archive.orkl.eu/ddfa18cbecd6285746a58d6aa34832e076113306.txt", "img": "https://archive.orkl.eu/ddfa18cbecd6285746a58d6aa34832e076113306.jpg" } }