Reverse Engineering Phishing
Check your domain for DMARC, DKIM, SPF and MX records. Get a free report.
Written by Anouar Springer in Spring 2025
In January 2025, Microsoft exposed a remarkable email campaign that achieved what every GTM professional dreams of: engagement from high-profile, hard-to-reach decision makers. The operation, running from 2023 to 2024, secured responses from government officials, defense organizations, think tanks, NGOs, journalists, and researchers working on defense policy and Ukraine-related topics. While their objectives were malicious, their methodology offers a masterclass in cold emailing that legitimate businesses can learn from.
Let's be clear: we're not here to replicate harmful practices. Instead, we're going to reverse engineer what made their communication so effective. By analyzing their meticulous research methods, technical infrastructure, and multi-step emailing, we can extract valuable lessons for legitimate business outreach.
Think about it: if these techniques are created with the precision of an intelligence agency and the ability to convince government officials to engage, imagine how they could improve your business's cold email campaigns. We'll break down their approach to personalization, techstack, and follow-up – all while maintaining strict ethical boundaries and focusing on legitimate business applications.
Ready to discover how thorough research and precise execution can transform your cold email success rates? Let's dive in.
What is Star Blizzard?
Star Blizzard is a Russian state-sponsored cyber threat actor operating under FSB Centre 18, also known as the Centre for Information Security (TsIB), Military Unit 64829. The FSB, Russia's Federal Security Service and successor to the KGB, oversees the group through its Counter-intelligence Service. The group has been tracked under various names by different cybersecurity organizations: Microsoft calls them Star Blizzard (previously SEABORGIUM), Google's threat team knows them as COLDRIVER, PWC tracks them as Blue Callisto, Proofpoint as TA446, and Sekoia as Calisto. In December 2023, government agencies from Australia, Canada, New Zealand, the United Kingdom, and the United States formally attributed the group to the FSB's Centre 18.
What is Spear Phishing?
Spear phishing is a targeted form of email attack that uses carefully researched personal or professional information to deceive specific individuals. Unlike mass phishing campaigns that cast a wide net, spear phishing focuses on selected high-value targets. In Star Blizzard's case, they craft personalized emails impersonating known contacts of their targets, often posing as colleagues, funders, or government officials. The group first sends a simple message to establish contact, followed by a second email containing a malicious link or attachment. This two-step approach helps them evade detection while building credibility with their targets.
Who Are Their Targets?
From 2023 to 2024, Star Blizzard focused on three distinct categories of targets. The first category consists of government and diplomatic professionals, including both current position holders and former officials. The second group comprises researchers and analysts specializing in defense policy and international relations, particularly those whose work involves Russia. The third category targets organizations providing assistance to Ukraine during the ongoing conflict with Russia. They specifically pursued journalists, think tanks, and NGO staff who could access sensitive information or influence policy decisions.
Microsoft's investigation revealed that the group maintained a steady pace of operations, targeting approximately one new organization per week. During 2023-2024 alone, they contacted 82 targets.
Initial Contact Strategy
Star Blizzard mastered the art of impersonation through extensive target research. They created email accounts mimicking trusted contacts in their targets' networks - typically colleagues, funders, or US government officials. Their initial outreach focused on establishing credibility and provoking a response.
Their subject lines demonstrated deep understanding of the target's work by referencing current projects, shared professional interests, and using sector-specific terminology. The message content showed careful research, discussing the target's recent publications and ongoing research initiatives while demonstrating knowledge of their expertise and professional focus.
To establish trust, they meticulously recreated the identity of individuals known to the target. They used proper organizational titles, referenced legitimate organizations, and mentioned mutual professional contacts. This social proof made their outreach appear genuine and worthy of response.
Their calls to action were subtle but effective. They requested document reviews, sought input on relevant topics, or asked for professional opinions. A key tactic involved intentionally omitting mentioned attachments, creating a natural reason for follow-up communication.
Their success relied on meticulous preparation. Intelligence gathering preceded each contact, ensuring messages appeared authentic and relevant to the target's professional activities.
The Two-Step Email Process
Star Blizzard's communication followed a calculated two-step sequence. Their first email established context through carefully crafted subject lines referencing professional topics relevant to the target. The message body contained a brief request for document review, using formal language that matched the writing style of the impersonated sender. They referenced specific projects and areas of shared interest to demonstrate legitimacy, while intentionally omitting the mentioned attachment.
When targets responded about the missing attachment, Star Blizzard launched the second phase. Their follow-up email appeared natural and professional, maintaining the same tone and style as the initial message. They included a Safe Links-wrapped t.ly shortened URL, presenting it as the solution to access the previously mentioned document. To drive engagement, they often introduced subtle time constraints while referencing the previous exchange to maintain conversational continuity.
This two-step approach served multiple purposes. First, it filtered for engaged targets who would respond to the initial message. Second, it established a chain of trust through multiple interactions. Third, it made the eventual link click appear as a natural part of a professional exchange rather than an unsolicited request.
Technical Infrastructure
Star Blizzard's infrastructure combined robust domain management with sophisticated authentication capture. They registered domains primarily through Hostinger and Namecheap, maintaining a network of over 66 unique domains. Each domain followed a strict preparation protocol - after registration, they waited 30 days before deployment, likely to avoid detection systems targeting newly registered domains. Their hosting strategy used rotating IP addresses through shared hosting services, making tracking more difficult. For encryption, they employed Let's Encrypt and ZeroSSL certificates, establishing secure connections that appeared legitimate to both users and security systems.
In early campaigns, they used HubSpot's URL infrastructure, embedding HubSpot domains in targeting PDFs to evade detection. By 2024, they had evolved to using Safe Links-wrapped t.ly shortened URLs, demonstrating their ability to adapt when techniques became known.
When Microsoft and the US Department of Justice disrupted their infrastructure in October 2024, Star Blizzard demonstrated remarkable resilience. They quickly transitioned to new domains, maintaining operational continuity with minimal interruption and changing their plays.
Their authentication capture process functioned as a multi-stage system. When targets clicked a link, the system first collected a device fingerprint and validated the target's authenticity. Some targets encountered a CAPTCHA challenge, adding another layer of validation. After these checks, targets were redirected to a convincing login page that pre-populated their email addresses. The system captured both password and two-factor authentication codes, using them to create persistent access tokens for continued access.
The infrastructure's design prioritized both operational security and credibility. By rotating domains, using legitimate SSL certificates, and implementing multiple validation stages, they created a system that appeared trustworthy while remaining resilient to detection and disruption.
Applying the Learnings to your Cold E-Mail Campaign
Domain Infrastructure
Professional email campaigns require reliable infrastructure. Star Blizzard's approach teaches us the importance of domain preparation and maintenance for successful email delivery.
Start with selecting reputable domain registrars. While Star Blizzard used Hostinger and Namecheap, any major registrar like GoDaddy or Cloudflare works for legitimate business use. The key is consistency and proper setup, not the specific provider. Also split your domains among providers for increased risk mitigation.
Domain aging emerges as a critical factor. Star Blizzard waited 30 days before using new domains - this practice significantly impacts deliverability. Fresh domains often face stricter spam filtering and lower sender reputation. For business emails, consider aging domains for 30-60 days before starting campaigns. For each domain, implement proper technical configuration:
Set up SPF, DKIM and DMARC records.
Setup SSL certificates for the domains.
Sending Infrastructure
Match your sending infrastructure to your target environment - for example, when targeting corporate environments, ensure your setup aligns with their typical receiving infrastructure.
Current market leaders for Cold Email Infrastructure are MailDoiso and MailReef. For the sendout choose Instantly or SmartLead. If you want to nail your copy Maillab can be worth it too.
Lead Research Process
Star Blizzard's success stemmed from deep research before initial contact. Their approach reveals how thorough target research directly impacts engagement rates.
Start with organizational mapping. Identify companies that match your ideal customer profile, then study their organizational structure. Understand reporting lines, departmental interactions, and decision-making processes. This knowledge helps identify the right point of contact and reveals potential conversation paths into the organization.
Contact research forms the core of personalization. Study your prospect's professional journey through their LinkedIn activity, conference presentations, and published work. Look for recent interviews or podcast appearances where they discuss current challenges and initiatives. Monitor their professional social media for insights into their thinking and priorities. This research provides context for relevant, engaging first contact.
Environment analysis expands your understanding beyond the individual. Track company announcements, recent press coverage, and industry developments affecting your prospect's organization. Study their competitors' moves and industry trends. Look for trigger events - leadership changes, expansion announcements, or new initiatives - that create natural conversation openings.
This research investment pays off in engagement rates. When you understand your prospect's context, you can craft messages that resonate with their current priorities and challenges.
Campaign Structure
Star Blizzard's two-step engagement process is standard procedure in the current cold emailing environment. Their approach shows how breaking contact into at least two phases is absolutely critical.
The initial contact sets the foundation. Start with a brief message that demonstrates your research and establishes relevance. Reference the prospect's recent work, such as a conference presentation or published article. Make your message specific to them - mention how their recent project or industry initiative connects to your reason for reaching out. Avoid attachments or links in this first contact. This first message should be text only with no open tracking. The goal is to start a conversation, not close a deal or book a call.
The follow-up message builds on established context. When prospects respond, reference your previous exchange naturally. Maintain the same professional tone and writing style for consistency. Your response should advance the conversation by providing additional value - whether that's relevant information, insights, or resources. Include a clear next step that feels natural to the conversation flow. Here you can add links and move in to put the seal on the next step whether that be a call or just further information.
This progressive approach serves multiple purposes. First, it filters for engaged prospects who are genuinely interested in dialogue. Second, it establishes credibility through multiple touchpoints. Third, it makes the eventual call-to-action feel like a natural part of an ongoing professional conversation rather than a cold pitch that can be annoying to recipients.
Landing Page
Star Blizzard's approach to landing pages shows how personalization drives engagement. They customized each page to match their target's context. For legitimate business use, this means creating landing pages that reflect your prospect's environment. Pre-fill company information, display relevant case studies, and customize demo environments with their branding. This continuation of context from email to landing page creates a coherent experience that improves conversion.
Conclusion
The analysis of Star Blizzard's methods reveals a crucial truth about email engagement: success comes from precision, not volume. While their objectives were malicious, their methodology demonstrates that thorough research, careful preparation, and progressive engagement drive response rates.
For legitimate business outreach, the lessons are clear. Invest time in understanding your prospects. Build reliable infrastructure that supports deliverability. Create personalized engagement sequences that respect professional boundaries. Focus on establishing genuine connections rather than rushing to close deals.
Remember: The goal isn't to replicate their tactics, but to understand how methodical preparation and precise execution can improve legitimate business communication. When you combine thorough research with systematic engagement, you create email campaigns that resonate with decision-makers and drive meaningful business conversations.
Sources
Check domain and follow the instructions to nail down your DMARC configuration.
No expert knowledge needed!