Authentic Antics

Authentic Antics is a Windows malware family attributed by the UK NCSC to APT28 / GRU Unit 26165. It is designed to obtain persistent access to Microsoft cloud accounts by operating inside the Microsoft Outlook process and blending with legitimate Microsoft authentication activity. The malware displays periodic fake Microsoft login prompts within Outlook to steal Microsoft Office credentials and OAuth 2.0 tokens, enabling unauthorized access to victim email accounts and potentially Exchange Online, SharePoint, and OneDrive depending on tenant configuration.

Observed in 2023, Authentic Antics uses a dropper DLL named Microsoft.Identity64.dll to decrypt and load an in-memory .NET stealer payload named Microsoft.Identity.Client.dll. Persistence is achieved via COM hijacking by replacing the InprocServer32 path for CLSID {1299CF18-C4F5-4B6A-BB0F-2299F0398E27}, which normally points to npmproxy.dll used by Outlook at startup. It limits execution using the registry key HKCU\Software\Microsoft\Office\16.0\Outlook\Logging\Counter and stores the most recently stolen refresh token in HKCU\Software\Microsoft\Office\16.0\Outlook\Logging\Locale.

The malware includes multiple defense-evasion and anti-analysis measures. It uses heavy string obfuscation, verifies it is running inside outlook.exe, checks for the OutlookGrid window class and the victim identity in the window title, and restores suspected hooked ntdll.dll registry functions from a clean mapped copy. It also hooks IEConfiguration_GetBool in iertutil.dll and uses environmental keying: the embedded stealer payload is AES-256 encrypted with a machine-specific key derived from the MachineGuid in HKLM\Software\Microsoft\Cryptography and the C: drive volume serial number, or the computer name if MachineGuid is absent.

For credential theft, Authentic Antics enumerates Office identity data under HKCU\Software\Microsoft\Office\16.0\Common\Identity\Identities, selects the most recently used account, and targets ADAL-backed identities. It creates a controlled browser window inside Outlook and directs it to login.microsoftonline.com/common/oauth2/authorize using the Microsoft Office client ID d3590ed6-52b3-4102-aeff-aad2292ab01c. It intercepts the browser navigation flow to capture authorization codes, usernames, and passwords, then redeems authorization codes or refresh tokens via HTTPS POST requests to https://login.microsoftonline.com/common/oauth2/token.

Authentic Antics does not rely on traditional command-and-control infrastructure. It communicates only with legitimate services, including Microsoft OAuth endpoints, Outlook web APIs, and http://www.gstatic.com/generate_204 for connectivity checks. Exfiltration is performed by sending stolen credential and token data from the victim's own Outlook account to an actor-controlled email address via https://outlook.office.com/api/v2.0/me/sendMail. The data is gzip-compressed and RSA-2048 encrypted, and the malware sets SaveToSentItems to false so the exfiltration email does not appear in the victim's Sent Items.

High-confidence indicators and artifacts mentioned in the reporting include the filenames Microsoft.Identity64.dll and Microsoft.Identity.Client.dll, the hijacked CLSID {1299CF18-C4F5-4B6A-BB0F-2299F0398E27}, the suspicious registry values under HKCU\Software\Microsoft\Office\16.0\Outlook\Logging\Counter and ...\Locale, use of login.microsoftonline.com/common/oauth2/authorize and /common/oauth2/token, the Outlook API endpoint outlook.office.com/api/v2.0/me/sendMail, and the Microsoft Office OAuth client ID d3590ed6-52b3-4102-aeff-aad2292ab01c.