North Korean state-sponsored group ScarCruft (APT37) is running spear-phishing campaigns that impersonate Microsoft Account security alerts to deliver a remote access trojan called NarwhalRAT. The emails are crafted to alarm recipients about suspicious account activity, prompting them to interact with malicious content. This is a targeted threat with nation-state backing, making it higher risk than typical phishing campaigns.

Security Architect’s Take: Ensure your organisation’s email security controls (DMARC, DKIM, SPF) are enforced and that Microsoft-themed phishing lures are included in user awareness training. Consider deploying conditional access policies that reduce the impact of credential theft, and review endpoint detection coverage for RAT-based payloads on any systems handling sensitive cloud workloads.

Original advisory: Fake Microsoft Alerts Used to Deploy North Korean NarwhalRAT Malware