Back to Intelligence

Void Blizzard O365 Espionage & SniperDz PhaaS: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
July 11, 2026
5 min read

Recent OTX pulses highlight two distinct but sophisticated credential-harvesting campaigns. The Russia-aligned Void Blizzard threat group is actively targeting US critical infrastructure and commercial sectors (Finance, Gov, Tech) using a cyber espionage methodology focused on Office 365 session token theft. Their attack chain utilizes typo-squatted domains (e.g., lnstagram.com, miscrsosoft.com) to harvest sessions and bypass MFA. Separately, the SniperDz ecosystem has been identified as a prolific Phishing-as-a-Service (PaaS) platform targeting the MENA region, specifically Algeria. SniperDz leverages social media brand impersonation to deliver browser hijacking payloads and fraudulent offers, aiming for credential theft and CPA fraud.

Threat Actor / Malware Profile

Void Blizzard (Russia-aligned)

  • Distribution Method: Mass email campaigns utilizing typo-squatted domains mimicking Microsoft Office, Instagram, and other trusted SaaS providers.
  • Payload Behavior: Web-based credential harvesting forms; specifically designed to steal session tokens (AAD tokens) rather than just passwords.
  • C2 Communication: Uses proxy infrastructure hosted on deceptive domains to blend in with legitimate traffic.
  • Objective: Cyber espionage, long-term unauthorized access to email systems.

SniperDz (Cybercrime)

  • Distribution Method: Phishing-as-a-Service (PaaS) distributed via fraudulent social media accounts impersonating politicians and public figures.
  • Payload Behavior: Browser hijacking redirects victims to fraudulent landing pages hosting fake offers (mobile data, compensation).
  • Infrastructure: Uses a network of dynamic subdomains (e.g., aff.bnaosf1he.shop, win.anababayala.com) to evade detection.
  • Objective: Credential harvesting, financial fraud (CPA), and account takeover.

IOC Analysis

The provided indicators primarily consist of Domains and Hostnames. These represent the initial access vector (phishing/typosquatting) and the infrastructure serving the malicious content.

  • Operationalization: SOC teams should immediately block these domains at the DNS layer and inspect web proxy logs for any historical connections.
  • Tooling: SIEM solutions (e.g., Splunk, Sentinel) can correlate these domains with DeviceNetworkEvents. Passive DNS (DNSDB) is recommended to identify sibling domains registered by the same actors, as SniperDz frequently rotates infrastructure.

Detection Engineering

YAML
---
title: Potential Void Blizzard Typosquatting Activity
id: c7c9b8c2-6a1e-4f3d-8e2b-9a5c6d7e8f0a
description: Detects DNS queries for domains that are common typos of high-value targets (Microsoft, Office, Instagram) associated with Void Blizzard activity.
author: Security Arsenal
date: 2026/07/12
modified: 2026/07/12
logsource:
  product: windows
  category: dns_query
detection:
  selection:
    QueryName|contains:
      - 'micsrosoft'
      - 'miscrsosoft'
      - 'ffice365'
      - 'lnstagram'
  condition: selection
falsepositives:
  - Legitimate but misspelled internal domain names (rare)
level: high
tags:
  - attack.initial_access
  - attack.credential_access
  - void.blizzard
---
title: SniperDz PhaaS Infrastructure Connection
id: d8e0f9a3-7b2c-5g4h-0i3j-1b6c7d8e9f0a
description: Detects network connections to known SniperDz PhaaS infrastructure and suspicious TLD patterns used in their campaigns.
author: Security Arsenal
date: 2026/07/12
modified: 2026/07/12
logsource:
  category: network_connection
detection:
  selection_domains:
    DestinationHostname|contains:
      - 'bnaosf1he.shop'
      - 'anababayala.com'
      - 'feezossl.xyz'
  selection_pattern:
    DestinationHostname|regex: '^(win|aff)\..+\.(shop|xyz|top)$'
  condition: 1 of selection*
falsepositives:
  - Legitimate advertising or affiliate traffic
level: medium
tags:
  - attack.initial_access
  - attack.social_engineering
  - sniperdz
---
title: Suspicious Office 365 Session Token Access
id: e9f1a0b4-8c3d-6h5i-1j4k-2c7d8e9f0a1b
description: Detects potential use of stolen session tokens via unusual user-agent strings or missing MFA claims in O365 audit logs, indicative of Void Blizzard techniques.
author: Security Arsenal
date: 2026/07/12
modified: 2026/07/12
logsource:
  product: azure
  service: signindetection:
  filter_legit:
    AppId: '01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9' # Microsoft Office Portal
  selection_suspicious:
    RiskDetail: 'none'
    MfaRequired: 'false'
    DeviceDetail|contains:
      'Unknown'
    Status|contains: 'Success'
  condition: filter_legit and selection_suspicious
falsepositives:
  - Legacy authentication or trusted exempted locations
level: high
tags:
  - attack.credential_access
  - attack.t1528
  - session.theft


kql
// Hunt for network connections to Void Blizzard and SniperDz infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("lnstagram.com", "ebsummlt.eu", "miscrsosoft.com", "ffice365.com", "micsroft.com", "bnaosf1he.shop", "anababayala.com", "feezossl.xyz")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| extend FullUrl = strcat("http://", RemoteUrl, "/")
| order by Timestamp desc


powershell
# IOC Hunter: Scan DNS Client Cache and Hosts file for Void Blizzard/SniperDz indicators
$IOC_List = @(
    "lnstagram.com", "ebsummlt.eu", "miscrsosoft.com", "ffice365.com", "micsroft.com",
    "aff.bnaosf1he.shop", "win.anababayala.com", "win.feezossl.xyz"
)

Write-Host "[+] Checking DNS Client Cache for malicious indicators..." -ForegroundColor Cyan
$DNSCache = Get-DnsClientCache
foreach ($IOC in $IOC_List) {
    $Matches = $DNSCache | Where-Object { $_.Entry -like "*$IOC*" }
    if ($Matches) {
        Write-Host "[!] MATCH FOUND: $IOC in DNS Cache" -ForegroundColor Red
        $Matches | Format-List Entry, Data, Type
    }
}

Write-Host "[+] Checking Hosts file for malicious indicators..." -ForegroundColor Cyan
$HostsPath = "$env:windir\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
    $HostsContent = Get-Content $HostsPath
    foreach ($IOC in $IOC_List) {
        if ($HostsContent -match $IOC) {
            Write-Host "[!] MATCH FOUND: $IOC in Hosts file" -ForegroundColor Red
        }
    }
}
Write-Host "[+] Hunt complete."

Response Priorities

  • Immediate: Block all listed domains and hostnames at the perimeter firewall and DNS resolver. Initiate a hunt for DeviceNetworkEvents matching the provided IOCs.
  • 24h: For users with potential hits on Void Blizzard indicators (O365), verify recent session activity and issue forced password resets + MFA re-enrollment as a precaution against session token theft.
  • 1 Week: Review email filtering rules to catch typo-squatted domains targeting Office 365 and social media platforms. Educate users on the specific lure techniques (fake politician offers, compromised O365 pages).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptvoid-blizzardsniperdzo365-compromisephishing-as-a-servicetyposquatting

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.