Affidavit in Support of Application for Criminal Complaint
A Russia-aligned threat group named Void Blizzard conducted a large-scale cyber espionage campaign targeting multiple U.S. companies between June and July 2024. The campaign involved harvesting mass emails and unauthorized access to Office 365 environments using stolen session tokens, proxy services, and VPNs. Denis Nikolayevich Obrezko, a Russian national, was identified by the FBI as facilitating these intrusions by providing critical infrastructure such as virtual private servers and domain registrations. Eleven U.S. companies have confirmed unauthorized access, with many more suspected victims nationwide.
AI Analysis
Technical Summary
The FBI investigation uncovered that Denis Nikolayevich Obrezko facilitated cyber intrusions by the Russia-aligned threat group Void Blizzard. The group targeted multiple U.S. companies across sectors in a cyber espionage campaign involving mass email harvesting and unauthorized access to Office 365 environments. Attackers used stolen session tokens combined with proxy and VPN infrastructure to authenticate and exfiltrate data. Obrezko was linked to the campaign through cryptocurrency transactions, email accounts, phone numbers, and IP addresses associated with the malicious infrastructure. Eleven companies confirmed breaches, indicating a widespread campaign.
Potential Impact
Unauthorized access to Office 365 environments allowed the threat actors to exfiltrate sensitive data from multiple U.S. companies. The use of stolen session tokens and proxy infrastructure enabled stealthy authentication and data theft. The campaign represents a significant espionage threat to U.S. corporate and critical infrastructure sectors, with confirmed breaches in at least eleven companies and likely many more affected.
Mitigation Recommendations
No specific patch or remediation is available as this is a campaign leveraging stolen credentials and infrastructure. Organizations should review and strengthen their Office 365 session management and authentication controls, including monitoring for unusual session token usage and implementing multi-factor authentication. Since this is not a cloud service vulnerability, remediation depends on organizational security controls. Patch status is not yet confirmed — check vendor advisories for any updates related to Office 365 security.
Indicators of Compromise
- domain: lnstagram.com
- domain: ebsummlt.eu
- domain: miscrsosoft.com
- ip: 172.86.75.235
- url: http://lnstagram.com/wlsperrrrr/
- domain: ffice365.com
- domain: micsroft.com
Affidavit in Support of Application for Criminal Complaint
Description
A Russia-aligned threat group named Void Blizzard conducted a large-scale cyber espionage campaign targeting multiple U.S. companies between June and July 2024. The campaign involved harvesting mass emails and unauthorized access to Office 365 environments using stolen session tokens, proxy services, and VPNs. Denis Nikolayevich Obrezko, a Russian national, was identified by the FBI as facilitating these intrusions by providing critical infrastructure such as virtual private servers and domain registrations. Eleven U.S. companies have confirmed unauthorized access, with many more suspected victims nationwide.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The FBI investigation uncovered that Denis Nikolayevich Obrezko facilitated cyber intrusions by the Russia-aligned threat group Void Blizzard. The group targeted multiple U.S. companies across sectors in a cyber espionage campaign involving mass email harvesting and unauthorized access to Office 365 environments. Attackers used stolen session tokens combined with proxy and VPN infrastructure to authenticate and exfiltrate data. Obrezko was linked to the campaign through cryptocurrency transactions, email accounts, phone numbers, and IP addresses associated with the malicious infrastructure. Eleven companies confirmed breaches, indicating a widespread campaign.
Potential Impact
Unauthorized access to Office 365 environments allowed the threat actors to exfiltrate sensitive data from multiple U.S. companies. The use of stolen session tokens and proxy infrastructure enabled stealthy authentication and data theft. The campaign represents a significant espionage threat to U.S. corporate and critical infrastructure sectors, with confirmed breaches in at least eleven companies and likely many more affected.
Mitigation Recommendations
No specific patch or remediation is available as this is a campaign leveraging stolen credentials and infrastructure. Organizations should review and strengthen their Office 365 session management and authentication controls, including monitoring for unusual session token usage and implementing multi-factor authentication. Since this is not a cloud service vulnerability, remediation depends on organizational security controls. Patch status is not yet confirmed — check vendor advisories for any updates related to Office 365 security.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://cyberscoop.com/wp-content/uploads/sites/3/2026/06/11-1.pdf"]
- Adversary
- Void Blizzard
- Pulse Id
- 6a2b2411d3d3323a465da4c0
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainlnstagram.com | — | |
domainebsummlt.eu | — | |
domainmiscrsosoft.com | — | |
domainffice365.com | — | |
domainmicsroft.com | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip172.86.75.235 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://lnstagram.com/wlsperrrrr/ | — |
Threat ID: 6a3052ca0b89be688882696a
Added to database: 6/15/2026, 7:30:18 PM
Last enriched: 6/15/2026, 8:31:12 PM
Last updated: 6/15/2026, 8:42:13 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.