Interesting seeing a known threat actor group using a mix of classic spear-phishing with RDP files to access victim’s system. They use a LetsEncrypt certificate to “make the RDP file look legit” and typically plant remote access tools (RATS) once they gain access to the victim’s system. From there, its game over. Learn more about what is going on from Microsoft’s threat intelligence blog HERE.
Who is being targeted? Microsoft has observed this campaign targeting governmental agencies, higher education, defense, and non-governmental organizations in dozens of countries, but particularly in the United Kingdom, Europe, Australia, and Japan. This target set is consistent with other Midnight Blizzard phishing campaigns.
As always, my personal thoughts are to question anybody that seems phishy (acting like they know you but using info that is publicly available) … especially if its a external contact asking for you to take an action now. Since this is a spear phish campaign, its likely they are coming up with a story that involves the ask to open the attached file. Hopefully, you have security tools that evaluate any attachments as well as links to download folders. Also, having a EDR that looks for local questionable behavior such as establishing the RDP connection followed by installation of the RAT.
Check out the blogpost to not only see more on this but learn how to hunt for this behavior. The blog posts various methods to detect if this activity is happening within your organization.