The United Kingdom’s National Cyber Security Centre (NCSC) has exposed a sophisticated cyberespionage campaign leveraging a highly targeted malware strain named “Authentic Antics”. This tool quietly embeds itself in Microsoft Outlook on Windows devices to harvest Office 365 credentials and OAuth 2.0 tokens, which are then used to discreetly access cloud services such as Exchange Online, SharePoint, and OneDrive.
Discovered in 2023 and attributed to the Russian military intelligence group APT28, also known as Fancy Bear, Authentic Antics is designed for long-term stealth and control. According to a detailed malware analysis report published by the NCSC, the strain operates with surgical precision, inserting itself into the Outlook process and deploying highly convincing login prompts. These prompts capture both usernames and passwords as well as OAuth refresh tokens, which allow persistent access to Microsoft services without reauthentication.
What makes Authentic Antics particularly dangerous is its ability to mimic legitimate Outlook behavior. Once the attacker obtains valid credentials and tokens, the malware uses the victim’s own Outlook API to send stolen data—encrypted and obfuscated—to an attacker-controlled mailbox. These outbound emails do not appear in the Sent folder, eliminating many typical forensic traces. The malware doesn’t use traditional command-and-control (C2) infrastructure, relying instead on trusted Microsoft endpoints, significantly complicating detection efforts.
Multi-Module Architecture and Stealth Engineering
Authentic Antics consists of three main components, each designed with stealth and persistence in mind:
- Dropper – A C++/.NET DLL that only activates its payload if specific environmental checks pass. This includes looking for known usernames, system identifiers, and other indicators of a targeted machine. The dropper determines when to deploy additional modules, ensuring minimal exposure to systems not targeted by threat actors.
- Stealer – A memory-only .NET library that never touches disk, making traditional detection nearly impossible. It displays fake login dialogs, steals credentials and OAuth tokens, and leverages Outlook APIs for exfiltration. Because it operates entirely in memory, signature-based tools cannot easily spot its presence.
- Fallback PowerShell Module – A scripted backup that performs similar token theft using hardcoded credentials. It acts as a failsafe should the primary stealer module be disrupted or unable to execute.
The malware includes several advanced evasion techniques. It verifies that it is running inside the outlook.exe process and uses registry unhooking to strip away monitoring mechanisms placed by endpoint security tools. Execution is time-gated using a registry timestamp, ensuring the stealer module activates only every six days. Strings throughout the codebase are encrypted and reconstructed in memory to defeat static analysis.
One particularly clever feature is environmental keying. The stealer DLL is encrypted with a key derived from system-specific data, such as a GUID or volume serial number. This makes the malware non-portable, as it will not execute outside its designated target environment, reducing the risk of unintended exposure or analysis.
To evade code audits, the malware incorporates portions of Microsoft’s official Authentication Library (MSAL) and appends malicious classes. This tactic lends a facade of legitimacy, allowing the malware to hide in plain sight during automated scans or cursory code reviews.
Exfiltration via Trusted Channels
Once credentials and OAuth tokens are captured, the malware compresses and encrypts the data using RSA keys embedded during deployment. The exfiltration mechanism stands out for its use of Microsoft’s own infrastructure: a forged email is sent using the Outlook REST API (outlook.office.com/api/v2.0/me/sendMail). Because the API call uses the victim’s token and sets “SaveToSentItems” to false, making the email practically invisible to the end user. No outbound connection to suspicious domains is made, making traditional traffic inspection techniques ineffective.
The malware achieves persistence through COM hijacking. Specifically, it hijacks the InprocServer32 registry key associated with Outlook’s COM component. While the dropper doesn’t install this key directly, its presence implies prior compromise by a separate implant or delivery vector. Once hijacked, Outlook will load the malicious DLL every time it starts, ensuring repeat execution with minimal footprint.
Official Attribution to Fancy Bear
The NCSC, in collaboration with Microsoft and incident response teams, has attributed Authentic Antics to the Russian GRU-affiliated group APT28 (Fancy Bear). According to the NCSC’s joint advisory, this malware was used in a 2023 cyberespionage operation targeting high-value individuals and institutions aligned with the UK and its allies. The UK government has since imposed sanctions on 18 officers from the Russian GRU, and formally named the malware itself in diplomatic rebukes.
Paul Chichester, Director of Operations at the NCSC, emphasized the malware’s sophistication and urged public and private sector organizations to improve defenses. He recommended the use of multifactor authentication (MFA), monitoring of anomalous token usage, and strict adherence to NCSC’s published mitigation guidance. Foreign Secretary David Lammy added that these hybrid attacks will not “break [the UK’s] resolve” and pledged continued cooperation with NATO and EU partners.
The malware’s emergence fits a broader pattern of GRU activity designed to destabilize European institutions, undermine democratic governments, and disrupt Ukraine’s international support networks. These incidents mark a clear shift toward exploiting OAuth and cloud authentication infrastructure, in contrast to older credential theft techniques focused on passwords alone.
Implications for Microsoft Cloud Environments
Authentic Antics is unlikely to be used in large-scale, indiscriminate attacks. Its behavior indicates deliberate, targeted intrusions aimed at collecting sensitive intelligence from political, military, and corporate leadership. However, the malware’s use of Microsoft cloud services, its stealthy approach, and token-based persistence make it highly concerning for any organization relying on the Microsoft 365 ecosystem.
Security professionals should assume that traditional endpoint detection tools may fail to identify this threat. Defensive strategies should include:
- Behavioral monitoring of OAuth token activity,
- Tracking token lifespan and refresh patterns,
- Applying Conditional Access Policies to restrict anomalous access locations or device types,
- Leveraging indicators of compromise (IOCs) shared by the NCSC.
Authentic Antics exemplifies the evolution of nation-state cyber tools: leveraging legitimate APIs, evading disk-based detection, persisting invisibly, and using cloud-native mechanisms to stay under the radar. For defenders, its existence underscores the need to move beyond perimeter-based security models and adopt identity-first, behavior-aware threat detection strategies.
