What’s in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia

Google Threat Intelligence Group (GTIG) reports that UNC6293 continues targeted ASP phishing operations against prominent academics, critics of Russia, and journalists, evolving its tradecraft by creating new accounts and varied ASP personas to re-engage prior targets. The actor also attempted to link attacker-controlled devices to victims' Microsoft 365 accounts via device code authentication and used calendar invites with Zoom/Google Meet links and malicious Microsoft authentication URLs, demonstrating persistence and increased sophistication.