APT29 Targets European Cloud Service Providers in Operation CloudJack

Sunday, March 22, 2026 at 12:00 PM UTC·Source: Microsoft / ANSSI

Updated: Monday, March 23, 2026 at 08:00 AM UTC

Executive Summary

APT29 compromises two European cloud hosting providers to access customer environments. Hundreds of EU government and enterprise tenants at risk.

Analysis

Microsoft and ANSSI report that APT29 compromised administrative access at two mid-tier European cloud hosting providers, gaining potential access to hundreds of EU government and enterprise customer environments. The operation, dubbed CloudJack, used stolen admin OAuth tokens to move laterally through customer tenants. Affected providers have initiated incident response and customer notifications.

Timeline

Discovered

Mar 15, 2026

Exploitation Detected

Mar 15, 2026

Published

Mar 22, 2026

Source Attribution

Originally published by Microsoft / ANSSI on Mar 22, 2026. Verified by: Microsoft, ANSSI, ENISA.

Related Threats

MEDIUMApt

China-Linked Webworm APT Evolves Tactics, Expands to European Targets

China-linked Webworm APT expands beyond Asia, targeting European government organizations and refining its cyber espionage tactics, according to ESET research

3h agoInfosecurity Magazine

CRITICALApt

Rapid7’s 2026 Global Cybersecurity Summit: Key Takeaways for Security Leaders

Security teams are working in an environment where speed, scale, and complexity are all increasing at the same time. Across the Rapid7 2026 Global Cybersecurity Summit , the focus was not just on how the threat landscape is evolving, but on how teams are adapting their approach to keep up. The sessions brought together perspectives from across detection and response, exposure management, AI, and s

23h agoRapid7

HIGHApt

Internet Explorer may be dead, but its ghost still runs malware

Microsoft’s aging “mshta.exe” utility, a leftover component from Internet Explorer, is still being actively abused in modern malware campaigns years after the browser itself was retired. According to new research from Bitdefender, attackers continue to abuse Microsoft HTML Application Host (MSHTA), a built-in Windows utility capable of executing VBScript and JavaScript from local or remote files.

1d agoCSO Online