Profiling Laundry Bear: Tactics, History & Defenses

June 5, 2025

Profiling Laundry Bear: Tactics, History & Defenses

This post is part of our ongoing series on cloud-focused threat actors, designed to increase visibility and awareness of their methods, bolster your defenses, and help close the gap between traditional cyber threat intelligence (CTI) and cloud security. Each installment will spotlight some well-known and lesser-known adversaries in the cloud, providing a concise profile, mapped TTPs, and an incident response checklist.

Summary

  • Threat Actor: Laundry Bear (Russia-nexus), a.k.a. Void Blizzard
  • Motivation: State-affiliated espionage
  • Targeting: Microsoft 365 & Entra ID environments, more broadly the defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors.  
  • Attack Types: Pass-the-Cookie attacks, QR code phishing, Evilginx-based AitM, password spraying, and data theft from Microsoft 365 services like Teams, SharePoint, and Exchange Online.
  • Defenses: Phishing-resistant MFA, short cookie expiration and session rebinding, real-time monitoring, and endpoint security to prevent infostealer malware.

Overview

Laundry Bear is assessed with high confidence to be a Russian state-affiliated threat actor focused on espionage against Western interests, particularly NATO/EU states and organizations supporting Ukraine’s war effort. Active since at least 2024, the group targets government, defense, aerospace, and NGOs, leveraging stolen credentials from criminal marketplaces and QR code phishing to infiltrate Microsoft 365 environments. 

One of the threat actor’s previous operations was against the Dutch police in September 2024, which resulted in stealing contact details for nearly 65,000 police employees. The incident was the result of purchasing stolen session cookies and credentials from criminal marketplaces, sourced from infostealer malware, followed by theft of the organization's global address list (GAL) that's automatically created by Exchange Online and includes every mail-enabled object in the organization.

The  threat actor’s TTPs are uniquely cloud-centric, exploiting Microsoft 365 services like Exchange Online, SharePoint, and Teams for data theft. Notable is their use of QR code phishing, the Evilginx framework which enables Adversary-in-the-Middle (AitM) phishing, and their reliance on purchasing credentials from the cybercrime ecosystem. They also rely on automation to scale their password spraying attacks, in conjunction with the use of residential proxies to enhance stealth.

TTPs

All of the details below are also available in our GitHub repository, which provides background on each observed technique along with corresponding MITRE ATT&CK mappings, making it easy to map these insights directly to your cloud logs.

Overview of TTPs for Laundry Bear
Threat Techniques Table
Tactic ID Technique Procedure (Context)
Initial Access T1078 Valid Accounts The threat actor uses stolen credentials, potentially purchased from criminal marketplaces, to access valid accounts (Exchange Online, OWA). The Dutch police attack used a stolen session cookie via pass-the-cookie attack.
Initial Access T1566.001 Phishing: Spearphishing Attachment The threat actor sends spear phishing emails with malicious QR codes in PDF attachments redirecting to typosquatted domains spoofing Microsoft Entra for credential theft.
Persistence / Privilege Escalation T1098.002 Account Manipulation: Additional Email Delegate Permissions The threat actor grants additional permissions (e.g., delegated access) to compromised email accounts to maintain persistence in Microsoft 365 environments, targeting accounts managing other accounts.
Credential Access T1557 Adversary-in-the-Middle The threat actor uses the Evilginx framework to conduct AitM phishing, intercepting authentication data during logins to Microsoft cloud services (e.g., Entra ID).
Credential Access T1539 Steal Web Session Cookie The threat actor steals or acquires session cookies, likely via infostealer malware from criminal marketplaces, to authenticate to Microsoft services without credentials. For example, the Dutch police attack.
Credential Access T1110.003 Password Spraying The threat actor password sprays (e.g., “password123,” “qwerty”) across multiple accounts, spread over time, to avoid detection in Microsoft 365 environments.
Discovery T1087 Account Discovery The threat actor downloads the Global Address List (GAL) via Exchange Web Services (EWS).
Collection T1114.002 Remote Email Collection The threat actor steals emails at scale from Exchange Online using EWS or OWA, targeting sensitive information.
Collection T1213.002 Data from Information Repositories: SharePoint The threat actor exploits known SharePoint vulnerabilities to steal files and credentials from SharePoint environments.
Collection T1213.005 Data from Information Repositories: Messaging Applications The threat actor accesses Microsoft Teams conversations for intelligence gathering.
Command and Control T1090 Proxy The threat actor uses residential proxies to obfuscate C2 traffic, making it appear as legitimate network activity.
Exfiltration T1048.003 Exfiltration Over Alternative Protocol Non-C2 Protocol The threat actor exfiltrates data over unencrypted protocols (e.g., HTTP) to alternate locations, using encoding, from cloud environments.

Incident Response Steps

Here are several practical, universal, and high-impact steps to prepare for and respond to cloud-based attacks, including the TTPs mentioned above (this list isn’t exhaustive, but it highlights key areas where defenders can focus their efforts):

  1. Session Cookie Theft: Detect and respond to pass-the-cookie attacks leveraging stolen session cookies.
    • Investigate: Review Microsoft 365 Sign-in Logs for logins without MFA prompts or from unexpected IPs, indicating cookie misuse, and check endpoint logs for signs of infostealer malware that may have sourced the cookies.
    • Harden: Set short cookie expiration (e.g., 24 hours) and enable session rebinding in Entra ID to tie cookies to a single IP. 
  2. Phishing and AitM Activity: Identify and respond to QR code phishing and Evilginx-based AitM attacks targeting credentials.
    • Investigate: Analyze email security logs for malicious PDFs with QR codes and monitor sign-in logs for access to typosquatted domains.
    • Harden: Deploy phishing-resistant MFA (e.g., FIDO2) and block typosquatted domains via DNS filtering. 
  3. GAL and Account Discovery: Catch unauthorized access to the GAL and prevent follow-on attacks like password spraying.
    • Investigate: Review sign-in logs for distributed login failures, which may indicate password spraying attempts targeting identified accounts.
    • Harden: Restrict GAL access via Exchange Web Services (EWS) to authorized roles only. Enforce complex password policies and disable inactive accounts to reduce the risk of password spraying.
  4. Microsoft 365 Data Access: Detect and respond to unauthorized data theft from Teams, SharePoint, and Exchange Online.
    • Investigate: Examine Microsoft 365 activity logs for anomalous data access in Teams, SharePoint, or Exchange, focusing on high-volume reads or downloads, and check network logs for exfiltration over suspicious IPs.
    • Harden: Implement data loss prevention (DLP) policies in Microsoft 365 to block sensitive data transfers. Apply least privilege access to Teams and SharePoint, and patch known vulnerabilities.
  5. Audit Accounts: Identify and respond to unauthorized delegate permissions or account modifications for persistence.
    • Investigate: Review audit logs for unexpected delegate permissions or account changes, correlating these with sign-in logs to identify compromised accounts attempting to maintain access.
    • Harden: Enforce role-based access control (RBAC) in Exchange Online and set up automated audits to flag unauthorized permission changes. Restrict administrative actions to trusted workflows and approved processes.
Simple IR Runbook for Laundry Bear

For additional security considerations and detection queries, see the AIVD & MIVD's Cyber Advisory on a new Russian cyber actor and Microsoft's New Russia-affiliated actor Void Blizzard targets critical sectors for espionage.

Next Steps & Getting Help

If you spot any of these TTPs or indicators in your environment, or just want to become incident-ready in the cloud, contact our team. We’ll help you tighten your M365 and Entra ID defenses, refine your playbooks, and stay ahead of Laundry Bear or other cloud-focused adversaries.

About Invictus Incident Response

We are an incident response company and we ❤️ the cloud and specialize in supporting organizations in preparing and responding to a cyber attack. We help our clients stay undefeated!

🆘 Incident Response support reach out to cert@invictus-ir.com or go to https://www.invictus-ir.com/24-7

More news

22.5.2025

Profiling JavaGhost: Tactics, History & Defenses

Read more
6.5.2025

Cloud Incident Readiness: Critical infrastructure for cloud incident response

Read more