Russian APT29’s 2026 Moonbeam Spear-Phishing Campaigns: Bypassing MFA via Adversary-in-the-Middle Toolkits on Microsoft Entra ID

Executive Summary: In early 2026, Russian state-sponsored threat actor APT29 (Cozy Bear) launched a highly sophisticated spear-phishing campaign codenamed Moonbeam, targeting organizations using Microsoft Entra ID (formerly Azure Active Directory). The campaign exploited adversary-in-the-middle (AiTM) phishing toolkits to intercept and relay multi-factor authentication (MFA) traffic, effectively bypassing MFA protections. This article examines the operational mechanics of Moonbeam, its technical sophistication, and strategic implications for global cybersecurity defenses. Findings are based on telemetry from Microsoft Threat Intelligence, CISA advisories, and private sector incident response reports issued in Q1 2026.

Key Findings

• MFA Bypass Achieved: APT29 used AiTM toolkits to capture real-time MFA tokens and session cookies, enabling session hijacking without triggering authentication alerts.
• Targeting Microsoft Entra ID: Campaigns primarily exploited legacy authentication protocols and OAuth app consent abuse to deliver malicious phishing pages mimicking Microsoft login portals.
• Tactical Refinement: Moonbeam campaigns leveraged AI-enhanced spear-phishing emails tailored to executive roles in government, defense, and critical infrastructure sectors.
• Geographic and Sector Distribution: Highest concentration of attacks observed in North America and Europe, with focus on IT, energy, and aerospace industries.
• Defensive Gaps Identified: Organizations relying solely on native MFA controls were vulnerable due to insufficient monitoring of token replay and session hijacking activity.

Campaign Overview: Moonbeam in Context

APT29’s Moonbeam operations represent a significant escalation in the use of AiTM techniques to defeat modern authentication defenses. Unlike traditional phishing that relies on credential harvesting alone, Moonbeam intercepts the entire authentication handshake, including MFA prompts, by positioning a malicious reverse proxy between the victim and Microsoft Entra ID. The campaign is distinguished by its precision targeting, operational security, and integration of generative AI to craft convincing lures.

According to Microsoft’s threat assessment published April 2026, over 120 organizations across 28 countries were compromised, with a dwell time averaging 3.4 days before detection. The majority of intrusions originated from cloud-hosted infrastructure in Russia and Belarus, using bulletproof hosting and fast-flux DNS to evade blacklisting.

Technical Analysis: How Moonbeam Bypasses MFA

The Moonbeam campaign exploits a confluence of weaknesses in identity infrastructure, authentication flows, and user behavior. The attack chain unfolds in four stages:

Stage 1: Initial Access via Spear-Phishing

APT29 operators initiated contact using highly personalized emails generated with internal generative AI models trained on publicly available data (LinkedIn, press releases, conference proceedings). Emails contained malicious links hosted on compromised SharePoint sites or malicious subdomains mimicking Microsoft login pages (e.g., login-microsoft[.]com). A notable feature was the use of time-sensitive “urgent access required” language referencing internal projects or urgent IT tickets.

Stage 2: AiTM Proxy Deployment

Upon clicking the link, the victim was redirected to a malicious reverse proxy server. This server hosted a convincing replica of the Microsoft Entra ID login portal, complete with CAPTCHA and MFA prompts. The proxy operated as a man-in-the-middle, relaying all traffic between the victim and the real Microsoft authentication endpoint (login.microsoftonline.com).

Crucially, the AiTM toolkit intercepted HTTPS traffic by exploiting weaknesses in legacy TLS configurations or via phishing pages served over HTTP with spoofed SSL certificates issued by publicly trusted CAs (e.g., Let’s Encrypt) using domain validation on lookalike domains.

Stage 3: MFA Token Interception

When the victim entered credentials and completed an MFA challenge (e.g., push approval, TOTP, or SMS), the AiTM kit captured the session cookie and MFA token in real time. These tokens were then replayed against the real Microsoft Entra ID service to establish a valid authenticated session. Because the tokens were legitimate and freshly issued, they bypassed conditional access policies and triggered no anomaly alerts.

Microsoft later confirmed that APT29 weaponized a variant of the open-source Modlishka framework, enhanced with custom modules for Microsoft Entra ID token parsing and session persistence.

Stage 4: Lateral Movement and Persistence

With authenticated access secured, APT29 operators performed reconnaissance using Microsoft Graph API, enumerated mailboxes, and exfiltrated sensitive data via Exchange Online. Persistence was established via OAuth application abuse, granting long-lived access without user interaction. In some cases, attackers created rogue service principals with high privileges, mimicking legitimate admin applications.

Why Microsoft Entra ID Was Vulnerable

Despite robust MFA adoption, several architectural and operational gaps enabled Moonbeam’s success:

• Legacy Authentication Enabled: Many organizations had not fully disabled legacy protocols (IMAP, POP3, SMTP Auth) that do not support modern MFA.
• Insufficient Token Monitoring: Native Microsoft Entra ID logs did not correlate token replay events with user location or device posture, allowing hijacked sessions to go unnoticed.
• OAuth Consent Fatigue: Users frequently approved OAuth consent prompts without reviewing permissions, enabling attackers to register malicious applications with extensive data access.
• Lack of Proxy Detection:
• Network-level defenses failed to detect AiTM proxies due to encrypted traffic and use of legitimate Microsoft domains in TLS certificates.