{"id":12754,"date":"2025-06-11T14:18:17","date_gmt":"2025-06-11T08:48:17","guid":{"rendered":"https:\/\/threatcop.com\/blog\/?p=12754"},"modified":"2025-06-16T14:21:15","modified_gmt":"2025-06-16T08:51:15","slug":"espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages","status":"publish","type":"post","link":"https:\/\/threatcop.com\/blog\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\/","title":{"rendered":"Espionage via QR Code: Russian Hackers Breach 20+ NGOs via Phony Microsoft Login Pages"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">A QR code in a PDF file seems like a genuine invitation. Correct? Well, more than 20 NGOs throughout Europe and the United States just discovered how wrong that assumption could be. They landed on a counterfeit Microsoft login page and voluntarily gave their credentials to Russian hackers.&nbsp;<\/span><\/p><div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 ez-toc-wrap-center counter-hierarchy ez-toc-counter ez-toc-light-blue ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #414141;color:#414141\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #414141;color:#414141\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/threatcop.com\/blog\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\/#What_Happened_to_the_NGOs\" >What Happened to the NGOs?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/threatcop.com\/blog\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\/#Why_Phishing_Works_and_Will_Keep_Working\" >Why Phishing Works and Will Keep Working<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/threatcop.com\/blog\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\/#Should_Your_Company_Avoid_Clicking_Any_Links\" >Should Your Company Avoid Clicking Any Links?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/threatcop.com\/blog\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\/#What_Should_You_Consider_Doing_to_Create_a_Defense\" >What Should You Consider Doing to Create a Defense?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/threatcop.com\/blog\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\/#Final_Thought\" >Final Thought<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">This was not some careless spam email. This was an orchestrated spear-phishing campaign, constructed with planning, fake branding, artistic image crafting, and an insidious tool known as Evilginx. And it worked.&nbsp;<\/span><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">Let&#8217;s break down how this happened, what it means for you, and how to prevent yourself from being the next victim.&nbsp;<\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_Happened_to_the_NGOs\"><\/span><span style=\"color: #000000;\"><b>What Happened to the NGOs?<\/b><\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">Void Blizzard, or Laundry Bear, is a Russian state-sponsored threat actor who developed a phishing campaign directed toward NGOs, defense agencies, the healthcare industry, and even a police unit in the Netherlands. Their motivation was not ransom or financial gain, but rather espionage.<\/span><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"color: #000000;\"><b><i>How did they do it?<\/i><\/b><\/span><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">They sent fake event invites and used a snazzy PDF that suggested they were from a European defense summit. They put a <a href=\"https:\/\/threatcop.com\/blog\/qr-code-scam\/\">malicious QR code<\/a> in the PDF. Hackers weren\u2019t looking for ransom or money; they were looking for intelligence.\u00a0<\/span><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"color: #000000;\"><span style=\"font-weight: 400;\">When companies scanned the QR code, it brought them to a fake Microsoft Entra login webpage hosted on a domain that looked like <\/span><b>microsoftonline[.]com<\/b><span style=\"font-weight: 400;\">. You can see the cut-and-paste mistake in the domain.<\/span><\/span><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">The hackers were utilizing Evilginx, a phishing kit that has the ability to bypass MFA along with capturing a person&#8217;s active session. This malware allows for a login process that completely mirrors the authentic login process.&nbsp;<\/span><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">When the users enter credentials into the fake login page, the hacker captures everything in that user\u2019s Microsoft environment, including emails, Teams conversations, files in SharePoint, etc., and information from the Entra ID user.&nbsp;<\/span><\/p>\n\n\n\n<!DOCTYPE html>\r\n<html lang=\"en\">\r\n\r\n<head>\r\n    <meta charset=\"UTF-8\">\r\n    <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">\r\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\r\n    <title>Document<\/title>\r\n<\/head>\r\n\r\n<style>\r\n    .interestedBtn {\r\n        width: 80% !important;\r\n        box-sizing: border-box !important;\r\n        display: inline-block !important;\r\n        padding: 11px !important;\r\n        border: 1px !important;\r\n        border-color: #ddd !important;\r\n        margin-top: 10px !important;\r\n        background-color: #183e8b !important;\r\n        background-image: none !important;\r\n        text-shadow: none !important;\r\n        color: #fff !important;\r\n        font-size: 14px !important;\r\n        line-height: 20px !important;\r\n        border-radius: 5px !important;\r\n        margin: 0 !important;\r\n        cursor: pointer !important;\r\n        box-shadow: 0px 4.66px 22.99px 0px rgba(0, 0, 0, 0.10);;\r\n    }\r\n\r\n\r\n        .formSec .formSecTwo{\r\n            padding-top: 15px !important;\r\n            margin-bottom: 30px !important;\r\n        }\r\n\r\n\r\n    .tnp-email {\r\n        width: 80% !important;\r\n        box-sizing: border-box;\r\n        padding: 8px 10px;\r\n        display: inline-block;\r\n        border: 1px solid #ced4da;\r\n        background: #fff;\r\n        color: #000 !important;\r\n        font-size: 13px;\r\n        line-height: 20px;\r\n        border-radius: 2px;\r\n        padding-right: 30px;\r\n        margin-bottom: 0px;\r\n    }\r\n\r\n    .formSec {\r\n        border: 1px solid #ced4da;\r\n        float: left !important;\r\n        width: 55% !important;\r\n    }\r\n\r\n    .mainBox {\r\n       \/* border: 1px solid #183e8b;*\/\r\n         background: white;\r\n        max-width: 600px !important;\r\n        margin: 0 auto !important;\r\n        padding: 20px !important;\r\n        font-family: Arial, Helvetica, sans-serif !important;\r\n    }\r\n\r\n    .boxDiv {\r\n        display: flex !important;\r\n    }\r\n\r\n    .boxConsult {\r\n        float: left !important;\r\n        width: 45% !important;\r\n        padding: 10px !important;\r\n    }\r\n\r\n    .formSecTwo {\r\n        text-align:center !important;\r\n        width: 100% !important;\r\n    }\r\n\r\n    .formHeading {\r\n        font-family: Arial, Helvetica, sans-serif;\r\n        margin-top: 0px;\r\n        font-weight: 700;\r\n        line-height: 25px;\r\n        font-size: 18px !important;\r\n        \r\n       margin-bottom: 60px !important;\r\n       color: #000!important;\r\n          margin-top: 5px !important;\r\n    }\r\n\r\n    .fieldHeading {\r\n        margin: 0 !important;\r\n        font-size: 13px !important;\r\n        text-align: left !important;\r\n        margin: 0px 39px 2px 93px !important;\r\n        font-weight: 500 !important;\r\n    }\r\n\r\n    .image {\r\n        max-width:90% !important;\r\n        height: auto !important;\r\n    }\r\n\r\n     .email-icon {\r\n            position: absolute;\r\n            right: 50px;\r\n             top: 20px;\r\n            transform: translateY(-50%);\r\n            pointer-events: none; \r\n        }\r\n\r\n          .email-container{\r\n             position: relative;\r\n         \r\n        }\r\n       \r\n\r\n        .email-icon img{\r\n                 width: 15px;\r\n        }\r\n\r\n\r\n         input::placeholder {\r\n            color:#495057;\r\n        }\r\n\r\n\r\n     ::placeholder {\r\n        color: #495057;\r\n    }\r\n\r\n        ::-ms-input-placeholder { \r\n          color:#495057;\r\n        }\r\n\r\n\r\n        input:-webkit-autofill {\r\n            background-color: transparent !important;\r\n            -webkit-box-shadow: 0 0 0px 1000px white inset !important; \r\n            box-shadow: 0 0 0px 1000px white inset !important;\r\n            color: #495057 !important; \r\n        }\r\n\r\n        \r\n        input {\r\n            color:#495057 !important;\r\n        }\r\n\r\n\r\n    @media screen and (max-width: 480px) {\r\n        .boxDiv {\r\n            display: block !important;\r\n            padding: 15px !important;\r\n         \r\n        }\r\n\r\n        .image{\r\n        width: 80% !important;\r\n         margin-bottom: 14px;\r\n        }\r\n        .fieldHeading {\r\n            text-align: left !important;\r\n            margin: unset !important;\r\n        }\r\n\r\n        .boxConsult {\r\n            width: unset !important;\r\n            float: none !important;\r\n        }\r\n\r\n        .mainBox {\r\n            border: unset !important;\r\n        }\r\n\r\n        .formSec {\r\n            float: unset !important;\r\n            width: 100% !important;\r\n        }\r\n\r\n        .formSecTwo {\r\n            text-align: center !important;\r\n        }\r\n\r\n        .tnp-email {\r\n            width: 90% !important;\r\n        }\r\n\r\n        .formHeading {\r\n            margin-bottom: unset !important;\r\n        }\r\n\r\n         .email-icon {\r\n            position: absolute;\r\n            right: 25px;\r\n            top: 58%;\r\n            transform: translateY(-50%);\r\n            pointer-events: none; \/* Make sure the icon doesn't block clicking on the input *\/\r\n        }\r\n       \r\n        .email-container{\r\n             position: relative;\r\n        }\r\n\r\n    }\r\n<\/style>\r\n\r\n<body>\r\n\r\n    <div class=\"mainBox\" box-sizing:=\"\" border-box;=\"\">\r\n\r\n        <div class=\"boxDiv\">\r\n\r\n            <div class=\"boxConsult\">\r\n                <div>\r\n                    <h3 class=\"formHeading\" style=\" font-size: 16px !important;\">\r\n                        Book a Free Demo Call with Our People Security Expert<\/h3>\r\n                <\/div>\r\n                <img decoding=\"async\" src=\"https:\/\/awareness.threatcop.ai\/threatcop_blog\/form.svg\" class=\"image\">\r\n            <\/div>\r\n\r\n            <div class=\"formSec\">\r\n                <div class=\" formSecTwo\">\r\n                    <h4 style=\"margin-top: 0; font-size: 16px !important;\">Enter your details<\/h4>\r\n                    <div class=\"tnp tnp-subscription-minimal\">\r\n                        <form action=\"https:\/\/threatcop.com\/thankyou-blog\" method=\"get\" target=\"_blank\">\r\n                            <div class=\"email-container\" style=\"margin-bottom:20px;\">\r\n\r\n                                <input class=\"tnp-email\" type=\"text\" required=\"\" name=\"FullName\" value=\"\"\r\n                                    placeholder=\"Full Name\">\r\n                                    <span class=\"email-icon\"><img decoding=\"async\" src=\"https:\/\/awareness.threatcop.ai\/threatcop_blog\/icon01.svg\" class=\"img-fluid\" \/><\/span>\r\n                            <\/div>\r\n\r\n                            <div class=\"email-container\" style=\"margin-bottom:20px;\">\r\n                               \r\n                                <input class=\"tnp-email\" type=\"email\" required=\"\" name=\"email\" value=\"\"\r\n                                    placeholder=\"Corporate Email Id\">\r\n                                     <span class=\"email-icon\"><img decoding=\"async\" src=\"https:\/\/awareness.threatcop.ai\/threatcop_blog\/icon02.svg\" class=\"img-fluid\" \/><\/span>\r\n                            <\/div>\r\n\r\n                            <div class=\"email-container\" style=\"margin-bottom:20px;\">\r\n                               \r\n                                <input class=\"tnp-email\" type=\"text\" required=\"\" name=\"CompanyName\" value=\"\"\r\n                                    placeholder=\"Company Name\">\r\n                                    <span class=\"email-icon\"><img decoding=\"async\" src=\"https:\/\/awareness.threatcop.ai\/threatcop_blog\/icon03.svg\" class=\"img-fluid\" \/><\/span>\r\n\r\n                            <\/div>\r\n\r\n                            <div class=\"email-container\">\r\n                               \r\n                                <input class=\"tnp-email\" type=\"number\" required=\"\" name=\"Phone\" value=\"\"\r\n                                    placeholder=\"Phone No.\"><br>\r\n                                    <span class=\"email-icon\"><img decoding=\"async\" src=\"https:\/\/awareness.threatcop.ai\/threatcop_blog\/icon04.svg\" class=\"img-fluid\" \/><\/span>\r\n                            <\/div>\r\n                            <input type=\"hidden\" name=\"BlogForm\" value=\"BlogForm\"><br>\r\n                            <input class=\"tnp-submit interestedBtn\" name=\"submit\" type=\"submit\"\r\n                                value=\"SUBMIT\">\r\n\r\n                        <\/form>\r\n                    <\/div>\r\n                <\/div>\r\n            <\/div>\r\n\r\n        <\/div>\r\n    <\/div>\r\n\r\n<\/body>\r\n\r\n<\/html>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Why_Phishing_Works_and_Will_Keep_Working\"><\/span><span style=\"color: #000000;\"><b>Why Phishing Works and Will Keep Working<\/b><\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">Phishing is still one of the top ways attackers get in. Not because tech isn\u2019t working, but because humans are trusting. Even a trained employee sometimes thinks, &#8220;Well, it&#8217;s a Microsoft sign; it must be legit.&#8221;<\/span><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">And then there are tools like Evilginx that have elevated the ability for an attacker to conduct high-level espionage with little-to-no operational task.<\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Should_Your_Company_Avoid_Clicking_Any_Links\"><\/span><span style=\"color: #000000;\"><b>Should Your Company Avoid Clicking Any Links?<\/b><\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">Not every link is a safe one, and if you do your best to avoid clicking the appropriate one at some point, it could really slow your operation. Keep in mind:<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"font-weight: 400; color: #000000;\">QR codes are not safe. It&#8217;s an attack vector if users don&#8217;t know how to establish where the QR goes.<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400; color: #000000;\">Fake logins are getting smarter. It only takes a misplaced or missed character, like for Microsoft the &#8220;o&#8221; is actually a zero\u2026 Then those attackers are in.<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400; color: #000000;\">Credential theft = full access. It&#8217;s not just about the act of logging in. Once attackers are in, they hoover up everything they can get quickly\u2014email, files, chats, calendar invites, etc.<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400; color: #000000;\">Your team is the last line of defense. Firewalls will not stop a person from scanning a QR code with their own device.<\/span><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_Should_You_Consider_Doing_to_Create_a_Defense\"><\/span><span style=\"color: #000000;\"><b>What Should You Consider Doing to Create a Defense?<\/b><\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\"><a href=\"https:\/\/threatcop.com\/blog\/what-is-phishing-how-to-prevent-it\/\">Phishing<\/a> is no longer just about shady links. It&#8217;s now about adversary-in-the-middle kits that, to a pixel, pretend to be Microsoft. If you&#8217;re accountable for security, you should now consider asking yourself:<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"color: #000000;\"><b>Block known typosquatted domains: <\/b><span style=\"font-weight: 400;\">Domains like microsoftonline[.]com need to show up on your deny list for a start. You will also want to monitor for more domains.<\/span><\/span><\/li>\n\n\n\n<li><span style=\"color: #000000;\"><b>Revisit and refresh your phishing training: <\/b><span style=\"font-weight: 400;\">If your phishing training is lacking in training on malicious QR codes in PDFs, it&#8217;s already out of date.<\/span><\/span><\/li>\n\n\n\n<li><span style=\"color: #000000;\"><b>Enable phishing-resistant MFA: <\/b><span style=\"font-weight: 400;\">Not all MFA is created equal. Push-based MFA (such as a phone prompt) is becoming increasingly vulnerable to AitM attacks. Instead, utilize FIDO2 security keys or number-matching prompts wherever possible.<\/span><\/span><\/li>\n\n\n\n<li><span style=\"color: #000000;\"><b>Log session token usage: <\/b><span style=\"font-weight: 400;\">Watch for impossible travel or session reuse from untrusted IPs. A pass-the-cookie attack will not prompt login, but it will show unusual session activity.<\/span><\/span><\/li>\n\n\n\n<li><span style=\"color: #000000;\"><b>Audit entra ID configurations:<\/b><span style=\"font-weight: 400;\"> Attackers are utilizing tools such as AzureHound to examine and map out your identity structure. Ensure that roles and app permissions have very narrow scopes.<\/span><\/span><\/li>\n\n\n\n<li><span style=\"color: #000000;\"><b>Use conditional access policies: <\/b><span style=\"font-weight: 400;\">Block logins from suspicious countries or require compliant devices to access sensitive resources.<\/span><\/span><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Final_Thought\"><\/span><span style=\"color: #000000;\"><b>Final Thought<\/b><\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">Void Blizzard did not target people randomly. They targeted NGOs, law enforcement, and support networks for NATO. Next time, it could be your finance lead. Or your cloud admin. Or your CEO.<\/span><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">That is why it\u2019s important to&nbsp;<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"font-weight: 400; color: #000000;\">Conduct realistic phishing simulations (yes, even <a href=\"https:\/\/threatcop.com\/blog\/what-is-qr-phishing\/\">QR-based phishing<\/a>).<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400; color: #000000;\">Train employees to detect subtle impersonation attempts.<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400; color: #000000;\">Detect lookalike domains and typosquatted login pages in real time.<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400; color: #000000;\">Monitor for reused stolen credentials across a variety of cloud services.<\/span><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>A QR code in a PDF file seems like a genuine invitation. Correct? Well, more than 20 NGOs throughout Europe and the United States just discovered how wrong that assumption could be. They landed on a counterfeit Microsoft login page and voluntarily gave their credentials to Russian hackers.&nbsp; This was not some careless spam email. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":12755,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[41,284],"tags":[386],"class_list":["post-12754","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-attacks","category-news-and-digest","tag-espionage-via-qr-code"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Espionage via QR Code: Russian Hackers Breach 20+ NGOs via Phony Microsoft Login Pages<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/threatcop.com\/blog\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Espionage via QR Code: Russian Hackers Breach 20+ NGOs via Phony Microsoft Login Pages\" \/>\n<meta property=\"og:description\" content=\"A QR code in a PDF file seems like a genuine invitation. Correct? Well, more than 20 NGOs throughout Europe and the United States just discovered how wrong that assumption could be. They landed on a counterfeit Microsoft login page and voluntarily gave their credentials to Russian hackers.&nbsp; This was not some careless spam email. [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/threatcop.com\/blog\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\/\" \/>\n<meta property=\"og:site_name\" content=\"Threatcop\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/people\/Threatcop\/100083109892339\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-06-11T08:48:17+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-16T08:51:15+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2025\/06\/Copy-of-Blog-Banner-2.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1080\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Threatcop\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatcop\" \/>\n<meta name=\"twitter:site\" content=\"@threatcop\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Threatcop\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\\\/\"},\"author\":{\"name\":\"Threatcop\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#\\\/schema\\\/person\\\/e4db27ffd37219d73fc6b40cc9d45cfa\"},\"headline\":\"Espionage via QR Code: Russian Hackers Breach 20+ NGOs via Phony Microsoft Login Pages\",\"datePublished\":\"2025-06-11T08:48:17+00:00\",\"dateModified\":\"2025-06-16T08:51:15+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\\\/\"},\"wordCount\":815,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/06\\\/Copy-of-Blog-Banner-2.jpg\",\"keywords\":[\"Espionage via QR Code\"],\"articleSection\":[\"Cyber Attacks\",\"News and Digest\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/threatcop.com\\\/blog\\\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\\\/\",\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\\\/\",\"name\":\"Espionage via QR Code: Russian Hackers Breach 20+ NGOs via Phony Microsoft Login Pages\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/06\\\/Copy-of-Blog-Banner-2.jpg\",\"datePublished\":\"2025-06-11T08:48:17+00:00\",\"dateModified\":\"2025-06-16T08:51:15+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/threatcop.com\\\/blog\\\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\\\/#primaryimage\",\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/06\\\/Copy-of-Blog-Banner-2.jpg\",\"contentUrl\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/06\\\/Copy-of-Blog-Banner-2.jpg\",\"width\":1920,\"height\":1080,\"caption\":\"Espionage via QR Code\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Espionage via QR Code: Russian Hackers Breach 20+ NGOs via Phony Microsoft Login Pages\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/\",\"name\":\"Threatcop\",\"description\":\"Cybersecurity Blogs, News, Updates, and Articles\",\"publisher\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#organization\",\"name\":\"Threatcop\",\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/threatcop-logo-black-1.png\",\"contentUrl\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/threatcop-logo-black-1.png\",\"width\":432,\"height\":102,\"caption\":\"Threatcop\"},\"image\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/people\\\/Threatcop\\\/100083109892339\\\/\",\"https:\\\/\\\/x.com\\\/threatcop\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/threatcop\\\/\",\"https:\\\/\\\/www.instagram.com\\\/threatcop_official\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#\\\/schema\\\/person\\\/e4db27ffd37219d73fc6b40cc9d45cfa\",\"name\":\"Threatcop\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/avatar_user_1_1696398433.jpeg\",\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/avatar_user_1_1696398433.jpeg\",\"contentUrl\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/avatar_user_1_1696398433.jpeg\",\"caption\":\"Threatcop\"},\"sameAs\":[\"https:\\\/\\\/threatcop.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Espionage via QR Code: Russian Hackers Breach 20+ NGOs via Phony Microsoft Login Pages","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/threatcop.com\/blog\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\/","og_locale":"en_US","og_type":"article","og_title":"Espionage via QR Code: Russian Hackers Breach 20+ NGOs via Phony Microsoft Login Pages","og_description":"A QR code in a PDF file seems like a genuine invitation. Correct? Well, more than 20 NGOs throughout Europe and the United States just discovered how wrong that assumption could be. They landed on a counterfeit Microsoft login page and voluntarily gave their credentials to Russian hackers.&nbsp; This was not some careless spam email. [&hellip;]","og_url":"https:\/\/threatcop.com\/blog\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\/","og_site_name":"Threatcop","article_publisher":"https:\/\/www.facebook.com\/people\/Threatcop\/100083109892339\/","article_published_time":"2025-06-11T08:48:17+00:00","article_modified_time":"2025-06-16T08:51:15+00:00","og_image":[{"width":1920,"height":1080,"url":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2025\/06\/Copy-of-Blog-Banner-2.jpg","type":"image\/jpeg"}],"author":"Threatcop","twitter_card":"summary_large_image","twitter_creator":"@threatcop","twitter_site":"@threatcop","twitter_misc":{"Written by":"Threatcop","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/threatcop.com\/blog\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\/#article","isPartOf":{"@id":"https:\/\/threatcop.com\/blog\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\/"},"author":{"name":"Threatcop","@id":"https:\/\/threatcop.com\/blog\/#\/schema\/person\/e4db27ffd37219d73fc6b40cc9d45cfa"},"headline":"Espionage via QR Code: Russian Hackers Breach 20+ NGOs via Phony Microsoft Login Pages","datePublished":"2025-06-11T08:48:17+00:00","dateModified":"2025-06-16T08:51:15+00:00","mainEntityOfPage":{"@id":"https:\/\/threatcop.com\/blog\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\/"},"wordCount":815,"commentCount":0,"publisher":{"@id":"https:\/\/threatcop.com\/blog\/#organization"},"image":{"@id":"https:\/\/threatcop.com\/blog\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\/#primaryimage"},"thumbnailUrl":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2025\/06\/Copy-of-Blog-Banner-2.jpg","keywords":["Espionage via QR Code"],"articleSection":["Cyber Attacks","News and Digest"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/threatcop.com\/blog\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/threatcop.com\/blog\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\/","url":"https:\/\/threatcop.com\/blog\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\/","name":"Espionage via QR Code: Russian Hackers Breach 20+ NGOs via Phony Microsoft Login Pages","isPartOf":{"@id":"https:\/\/threatcop.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/threatcop.com\/blog\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\/#primaryimage"},"image":{"@id":"https:\/\/threatcop.com\/blog\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\/#primaryimage"},"thumbnailUrl":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2025\/06\/Copy-of-Blog-Banner-2.jpg","datePublished":"2025-06-11T08:48:17+00:00","dateModified":"2025-06-16T08:51:15+00:00","breadcrumb":{"@id":"https:\/\/threatcop.com\/blog\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/threatcop.com\/blog\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/threatcop.com\/blog\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\/#primaryimage","url":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2025\/06\/Copy-of-Blog-Banner-2.jpg","contentUrl":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2025\/06\/Copy-of-Blog-Banner-2.jpg","width":1920,"height":1080,"caption":"Espionage via QR Code"},{"@type":"BreadcrumbList","@id":"https:\/\/threatcop.com\/blog\/espionage-via-qr-code-russian-hackers-breach-20-ngos-via-phony-microsoft-login-pages\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/threatcop.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Espionage via QR Code: Russian Hackers Breach 20+ NGOs via Phony Microsoft Login Pages"}]},{"@type":"WebSite","@id":"https:\/\/threatcop.com\/blog\/#website","url":"https:\/\/threatcop.com\/blog\/","name":"Threatcop","description":"Cybersecurity Blogs, News, Updates, and Articles","publisher":{"@id":"https:\/\/threatcop.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/threatcop.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/threatcop.com\/blog\/#organization","name":"Threatcop","url":"https:\/\/threatcop.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/threatcop.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2026\/06\/threatcop-logo-black-1.png","contentUrl":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2026\/06\/threatcop-logo-black-1.png","width":432,"height":102,"caption":"Threatcop"},"image":{"@id":"https:\/\/threatcop.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/people\/Threatcop\/100083109892339\/","https:\/\/x.com\/threatcop","https:\/\/www.linkedin.com\/company\/threatcop\/","https:\/\/www.instagram.com\/threatcop_official\/"]},{"@type":"Person","@id":"https:\/\/threatcop.com\/blog\/#\/schema\/person\/e4db27ffd37219d73fc6b40cc9d45cfa","name":"Threatcop","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2023\/10\/avatar_user_1_1696398433.jpeg","url":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2023\/10\/avatar_user_1_1696398433.jpeg","contentUrl":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2023\/10\/avatar_user_1_1696398433.jpeg","caption":"Threatcop"},"sameAs":["https:\/\/threatcop.com"]}]}},"_links":{"self":[{"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/posts\/12754","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/comments?post=12754"}],"version-history":[{"count":2,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/posts\/12754\/revisions"}],"predecessor-version":[{"id":12758,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/posts\/12754\/revisions\/12758"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/media\/12755"}],"wp:attachment":[{"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/media?parent=12754"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/categories?post=12754"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/tags?post=12754"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}