BlueDelta Hackers Target OWA, Google, and Sophos VPN in Global Login Theft Campaign

CyberDefender 4 mins0

BlueDelta is a Russian state-sponsored threat actor (also tracked as APT28, Fancy Bear, or Forest Blizzard) historically linked to Russia’s military intelligence (GRU) and long-running credential-harvesting and cyber-espionage activities. They’ve targeted government bodies, defense contractors, think tanks, and sensitive communication systems for more than a decade.

Reported Alleged Activity (January 2026)

A cybersecurity news site published a report titled “BlueDelta Hackers Attacking Microsoft OWA, Google, and Sophos VPN Users to Steal Logins”, claiming that BlueDelta has expanded operations to target users of major services like:

  • Microsoft Outlook Web Access (OWA)
  • Google accounts
  • Sophos VPN users

The goal, according to the piece, is to harvest login credentials and session data for future exploitation.

Important caveat: The article itself on CyberSecurityNews.com is a syndicated cybersecurity news feed. At least in publicly available search results now, independent verification of this specific multi-service attack by major cybersecurity vendors or national CERTs is not (yet) available. This means the claim should be treated cautiously until confirmed by authoritative sources like Recorded Future, CISA, Microsoft, Google, Sophos, or other technical advisories.

Known Verified BlueDelta Tactics

What has been independently verified by trusted research (Recorded Future’s Insikt Group) is a credential-harvesting phishing campaign against Ukrainian UKR.NET webmail users:

  • Fake login pages mimicking the real service
  • PDF phishing lures to evade automated detection
  • Infrastructure leveraging free hosting and anonymization tunnels
  • Captured usernames, passwords, and 2FA codes for espionage purposes
    This campaign ran from mid-2024 through at least April 2025.

These techniques — phishing, fake login portals, credential capture — are typical of APT28/BlueDelta activity. If the newer report is accurate, it would represent an expansion of credential harvesting beyond a single webmail service to include major platforms used globally.

What This Means for Users

Whether or not the specific multi-platform attack is confirmed, BlueDelta and similar state-sponsored groups often use:

Common credential-stealing vectors

  • Phishing campaigns with convincing login pages
  • Malicious PDF attachments or documents
  • Redirects to fake login portals
  • Use of legitimate services to host malicious infrastructure

Protective steps

  • Enable multi-factor authentication (MFA) on all accounts
  • Treat unsolicited emails urging password resets with high suspicion
  • Always validate login domains before entering credentials
  • Use strong, unique passwords with a reputable password manager
  • Monitor account activity for unusual sign-in attempts

CyberDefender