Espionage via QR Code: Russian Hackers Breach 20+ NGOs via Phony Microsoft Login Pages

A QR code in a PDF file seems like a genuine invitation. Correct? Well, more than 20 NGOs throughout Europe and the United States just discovered how wrong that assumption could be. They landed on a counterfeit Microsoft login page and voluntarily gave their credentials to Russian hackers. 

This was not some careless spam email. This was an orchestrated spear-phishing campaign, constructed with planning, fake branding, artistic image crafting, and an insidious tool known as Evilginx. And it worked. 

Let’s break down how this happened, what it means for you, and how to prevent yourself from being the next victim. 

What Happened to the NGOs?

Void Blizzard, or Laundry Bear, is a Russian state-sponsored threat actor who developed a phishing campaign directed toward NGOs, defense agencies, the healthcare industry, and even a police unit in the Netherlands. Their motivation was not ransom or financial gain, but rather espionage.

How did they do it?

They sent fake event invites and used a snazzy PDF that suggested they were from a European defense summit. They put a malicious QR code in the PDF. Hackers weren’t looking for ransom or money; they were looking for intelligence. 

When companies scanned the QR code, it brought them to a fake Microsoft Entra login webpage hosted on a domain that looked like microsoftonline[.]com. You can see the cut-and-paste mistake in the domain.

The hackers were utilizing Evilginx, a phishing kit that has the ability to bypass MFA along with capturing a person’s active session. This malware allows for a login process that completely mirrors the authentic login process. 

When the users enter credentials into the fake login page, the hacker captures everything in that user’s Microsoft environment, including emails, Teams conversations, files in SharePoint, etc., and information from the Entra ID user. 

Why Phishing Works and Will Keep Working

Phishing is still one of the top ways attackers get in. Not because tech isn’t working, but because humans are trusting. Even a trained employee sometimes thinks, “Well, it’s a Microsoft sign; it must be legit.”

And then there are tools like Evilginx that have elevated the ability for an attacker to conduct high-level espionage with little-to-no operational task.

Should Your Company Avoid Clicking Any Links?

Not every link is a safe one, and if you do your best to avoid clicking the appropriate one at some point, it could really slow your operation. Keep in mind:

• QR codes are not safe. It’s an attack vector if users don’t know how to establish where the QR goes.
• Fake logins are getting smarter. It only takes a misplaced or missed character, like for Microsoft the “o” is actually a zero… Then those attackers are in.
• Credential theft = full access. It’s not just about the act of logging in. Once attackers are in, they hoover up everything they can get quickly—email, files, chats, calendar invites, etc.
• Your team is the last line of defense. Firewalls will not stop a person from scanning a QR code with their own device.

What Should You Consider Doing to Create a Defense?

Phishing is no longer just about shady links. It’s now about adversary-in-the-middle kits that, to a pixel, pretend to be Microsoft. If you’re accountable for security, you should now consider asking yourself:

• Block known typosquatted domains: Domains like microsoftonline[.]com need to show up on your deny list for a start. You will also want to monitor for more domains.
• Revisit and refresh your phishing training: If your phishing training is lacking in training on malicious QR codes in PDFs, it’s already out of date.
• Enable phishing-resistant MFA: Not all MFA is created equal. Push-based MFA (such as a phone prompt) is becoming increasingly vulnerable to AitM attacks. Instead, utilize FIDO2 security keys or number-matching prompts wherever possible.
• Log session token usage: Watch for impossible travel or session reuse from untrusted IPs. A pass-the-cookie attack will not prompt login, but it will show unusual session activity.
• Audit entra ID configurations: Attackers are utilizing tools such as AzureHound to examine and map out your identity structure. Ensure that roles and app permissions have very narrow scopes.
• Use conditional access policies: Block logins from suspicious countries or require compliant devices to access sensitive resources.

Final Thought

Void Blizzard did not target people randomly. They targeted NGOs, law enforcement, and support networks for NATO. Next time, it could be your finance lead. Or your cloud admin. Or your CEO.

That is why it’s important to 

• Conduct realistic phishing simulations (yes, even QR-based phishing).
• Train employees to detect subtle impersonation attempts.
• Detect lookalike domains and typosquatted login pages in real time.
• Monitor for reused stolen credentials across a variety of cloud services.