This threat involves a targeted phishing campaign attributed to Russian hackers who have successfully breached over 20 non-governmental organizations (NGOs) by leveraging Evilginx, a sophisticated man-in-the-middle phishing framework. Evilginx enables attackers to intercept authentication tokens and session cookies by proxying legitimate login pages, thereby bypassing traditional multi-factor authentication (MFA) protections. In this campaign, the attackers created fake Microsoft Entra login pages, which are designed to mimic Microsoft's identity and access management platform, to deceive users into entering their credentials. Once credentials and session tokens are captured, attackers can gain unauthorized access to the victims' accounts and internal resources. The use of Evilginx indicates a high level of technical sophistication, as it allows attackers to harvest session cookies in real-time, enabling persistent access without triggering typical security alerts that rely on password-based detection. The campaign specifically targeted NGOs, which often hold sensitive data and have strategic importance in geopolitical contexts. Although no specific affected software versions or patches are mentioned, the attack vector is social engineering combined with advanced phishing infrastructure. The lack of known exploits in the wild suggests this is a relatively new or emerging threat, but the impact on compromised organizations can be significant due to the nature of the access gained.

For European organizations, particularly NGOs, this threat poses a substantial risk to confidentiality and integrity of sensitive information. NGOs often handle data related to human rights, political advocacy, and humanitarian efforts, making them attractive targets for state-sponsored or politically motivated attackers. Successful breaches can lead to exposure of confidential communications, donor information, and strategic plans, potentially undermining organizational missions and endangering individuals associated with these groups. The use of Evilginx to bypass MFA significantly increases the risk of unauthorized access, as traditional security controls may be insufficient to detect or prevent these intrusions. Additionally, compromised accounts can be used as footholds for further lateral movement within networks, leading to broader organizational compromise. The reputational damage and potential regulatory consequences under GDPR for data breaches further amplify the impact on European NGOs. Given the geopolitical tensions involving Russia and Europe, these attacks may also be part of broader intelligence or disruption campaigns targeting civil society organizations.

To mitigate this threat, European NGOs and similar organizations should implement advanced anti-phishing defenses beyond standard MFA. This includes deploying phishing-resistant authentication methods such as hardware security keys (e.g., FIDO2/WebAuthn) that are not susceptible to session hijacking. User education should focus on recognizing sophisticated phishing attempts, including verifying URLs and using out-of-band verification for sensitive logins. Organizations should enable conditional access policies that restrict access based on device compliance and network location. Monitoring for anomalous login behavior and session anomalies can help detect compromised accounts early. Implementing Security Information and Event Management (SIEM) solutions with behavioral analytics can provide alerts on suspicious activities. Regularly reviewing and revoking active sessions and tokens, especially after suspicious events, reduces the window of attacker persistence. Finally, organizations should conduct phishing simulation exercises tailored to advanced threats like Evilginx to improve user resilience.