Amazon’s threat intelligence team has thwarted a watering hole attack which sought to exploit Microsoft authentication flows.

The campaign was attributed to the Russian nation-state aligned group, APT29.

In a post published on August 29, CJ Moses, Amazon’s CISO, shared details of the campaign, which his team identified after discovering domain names controlled by APT29.

A watering hole attack is a targeted cyber campaign in which hackers compromise a website commonly visited by a specific user group and redirect users to malicious infrastructure. The aim is to deliver malware, harvest credentials or conduct cyber espionage.

In this case, Amazon identified various legitimate websites that were compromised with JavaScript code that redirected approximately 10% of visitors to APT29-controlled domains.

The goal was to trick users into authorizing attacker-controlled devices through Microsoft’s device code authentication flow.