BlueDelta Campaign Targets Microsoft, Google Logins

Throughout 2025, BlueDelta, a Russian state-sponsored threat group connected to the GRU, the nation’s military intelligence agency, has greatly increased the scope of its credential-stealing activities.

The group started many phishing attempts between February and September with the goal of tricking users of Google, Sophos VPN, and Microsoft Outlook Web Access into giving up their login credentials.

The group’s dedication to gathering credentials from government leaders, employees in the energy sector, and research experts throughout Europe and Eurasia is demonstrated by this developing threat.

The attacks are an obvious development of BlueDelta’s long-standing tactic, which has been used since the mid-2000s to target vulnerable businesses.

The group mainly concentrates on organizations involved in government communication networks, defense cooperation, and energy research.

The latest attacks demonstrate a higher level of sophistication in BlueDelta’s use of bespoke code, numerous attack phases, and lure documents that appear real in order to get beyond security measures and improve victim confidence.

After the second deployment phase, the malware was discovered by Recorded Future experts, who also discovered the technological methods underlying each attack.

The researchers found that in order to host the phony login pages and automatically collect stolen credentials, BlueDelta mostly depends on free hosting providers like Webhook.site, InfinityFree, Byet Internet providers, and ngrok.

By using disposable services, this infrastructure model maintains flexibility while keeping operating costs low.

BlueDelta’s infection method is a well-planned series of redirections intended to gather user information under the guise of validity.

When a victim clicks on a phishing link, they initially come across authentic PDF documents from institutions such as the Gulf Research Center.

The page instantly reroutes to a fake login portal that mimics the look of real Microsoft, Google, or Sophos interfaces once these documents are displayed for about two seconds.

JavaScript functions are used by the malicious malware to methodically gather victim data.

The malware retrieves email addresses from the URL parameters and transmits to BlueDelta’s command server a “page-opened” beacon with the victim’s email address, IP address, and browser details.

When victims input their credentials, extra JavaScript records the username and password and sends them to the attacker-controlled endpoint via HTTP POST requests.

This works especially well because BlueDelta modifies the URL that appears in the browser.

Following the submission of credentials, the page switches from displaying the phishing domain to either /owa/ or /pdfviewer?pdf=browser, giving the appearance that the application interface is authentic.

The page then reroutes to the targeted organization’s genuine PDF or login portal, giving victims the impression that they have successfully completed a standard authentication procedure.

BlueDelta maintains high success rates in credential harvesting while avoiding discovery thanks to the group’s ongoing improvement of these methods, which demonstrates a profound understanding of user psychology and web browser behavior.