High-volume campaigns from APT attacker TA422 exploit Microsoft Outlook vulnerability. And a seasonal threat update on our weekly podcast.
This week on The Threat Hub: Our researchers dig in to recent activity by TA422, an advanced persistent threat actor (APT) associated with Russian military intelligence. These phishing campaigns, conducted between March and November 2023, featured unusually high volumes of malicious email for an APT actor, involving as many as 10,000 messages. The attacks targeted a diverse range of industries, including government, aerospace and technology sectors, and were notable for having a daily cadence during the late summer period.
In these campaigns, TA422 made use of CVE-2023-23397, a privilege escalation vulnerability in Microsoft Outlook. Messages contained an appointment attachment with a fake file extension to make it look like another file type, such as CSV, Word or Excel. If the appointment attachment was read by a vulnerable version of Outlook, the victim’s NTLM security credentials could be exposed. Over the eight month period, TA422 evolved its tactics several times, using Mockbin and InfinityFree for redirection, and also exploiting a vulnerability with WinRAR. For a detailed technical analysis and a list of IoCs, check out the full blog post.
And on this week’s Five-Minute Forecast, U.S. authorities take action against North Korean cybercriminals, TrickBot developer faces 35 years in prison after guilty plea, and senior threat intelligence analyst Selena Larson shares an update on seasonal threats.

This advanced persistent threat (APT) group, linked to Russian military intelligence, launched an unusual series of campaigns earlier this year. Message volumes were high compared to typical APT activity, and sought to exploit a vulnerability in Microsoft Outlook.
Equip your team with threat intelligence
Go Deeper with Proofpoint Threat Intelligence Services
Connect with threat analysts, understand threats with intelligence specific to your situation, and gain 24/7 visibility into the latest threat discoveries.
Learn MoreCyber attackers target people. They exploit people. Ultimately, they are people. That's why people—not technology—are the most critical variable in today’s cyber threats. This year, the 2023 Human Factor report takes an even closer look at new developments in the threat landscape, focusing on the combination of technology and psychology that makes the modern attack chain so dangerous.
About The Threat Research Team
Our threat researchers are responsible for tracking shifts in the cybersecurity landscape, identifying new attacks as they emerge, and monitoring how threat actor tactics, techniques and procedures change over time. The threats they detect and the signatures they write feed into our platforms and are keystones in a system that analyzes more than 2.6 billion emails, 49 billion URLs and 1.9 billion attachments every single day.
By studying what cyber criminals are doing now, our threat researchers are better able to anticipate what they’ll do next. Every day, their work keeps our customers protected—not just from today’s attacks, but tomorrow’s threats as they evolve.

Browse the threat hub
Subscribe to the Proofpoint Blog