PGH Networks

Microsoft Logo on Black Keyboard

Microsoft Discovers Malicious Email Attack From NOBELIUM

Microsoft Discovers Malicious Email Attack from NOBELIUM

Early this year, the Microsoft threat intelligence center began tracking a sophisticated and malicious email phishing campaign targeting many individual users and businesses. The perpetrator, NOBELIUM, has gotten better and better at sidestepping any obstacles presented to them. The results of this have shown compromised data across many platforms.

What is Microsoft Threat Intelligence Center? (MSTIC)

Microsoft Threat Intelligence Center, or MSTIC, serves to catch security threats early and keep ahead of them to protect users. In the wake of recent attacks, MSTIC has been dedicated to ramping up safety and response for its users and sharing their insights and knowledge on cybersecurity with the industry at large.

Email Phishing Attacks

A phishing email (or text) serves to trick users into giving out sensitive information. These emails will often look like a message from a company you trust, asking you to verify some billing information or alerting you of suspicious activity on your account. Not only does this result in bank account access, social security numbers, and other important information getting into the wrong hands, but it can also harm the reputations of the companies that scammers are impersonating.

The FTC recommends a few different measures to protect your information. Downloading and frequently updating security software on your computer is an essential first step. You should also update your phone frequently, ensuring that it has the most recent patches and security updates.

Multi-factor authentication is a great way to protect your accounts from anyone attempting to reset your password from their location. And backing up your data to an external source, like a cloud or personal hard drive, will keep your essential files safe even if your personal computer is compromised.

NOBELIUM Explained


NOBELIUM is known to go after places like government organizations, the military, think tanks, and telecommunications, veiling itself as a US development organization. Their sophisticated tactics have resulted in many businesses and individual users dealing with possible compromised information. Their unique tooling and infrastructure, designed to target specific accounts, has resulted in their attacks staying undetected longer.


While NOBELIUM’s phishing attempts began in September 2020, the organization’s tactics ramped up in January 2021, after they learned from their initial campaign. They likely learned from Microsoft’s responses and tweaked their approach to get around any attempts to thwart them.

An experimentation phase resulted in NOBELIUM evolving its phishing campaigns, resulting in more successful deliveries of malicious emails to recipients. This attempt led to an escalation of efforts through April and May of 2021, resulting in a significant payload from Dropbox, a cloud storage platform. 

On May 25, NOBELIUM ramped up its attacks using Constant Contact’s legitimate mass email platform to target 3,000 individual accounts. The lion’s share of the malicious messages was blocked, but some of the earlier recipients were left vulnerable.

How To Protect Yourself From Phishing Scams 

Though these recent attacks are sophisticated and scary, there are still ways you can protect yourself from emails scams. This PGH blog on digital risk provides some excellent solutions.

Look out for:

  1. Generic greetings or content that could apply to many people. (ex. “Dear sir”)
  2. An email address with an odd letter or number in the domain name
  3. Urgency or demands. Any email that flashes “you’ve won!” in large letters or threatens to share your personal information with someone else is not to be trusted.
  4. Poor grammar or strange phrasing. These may serve the purpose of getting past spam filters.


  1. All links. Hover over them to be sure that the URL matches the destination that the link is promising.
  2. If the website is secure. All secure website URLs begin with “https://”
  3. For suspicious attachments. Do not open any attachment associated with an email that is giving you pause already.