This report aims to shed light on some of Pawn Storm’s attacks that did not use malware in the initial stages. It presents new data on the group’s credential phishing, direct probing of webmail and Microsoft Exchange Autodiscover servers, and large-scale scanning activities to search for vulnerable servers. Among the group’s prominent targets were members of defense companies, embassies, governments, and the military. We will also disclose how we were able to track Pawn Storm’s credential phishing campaigns over the past two years through careful analysis of DNS SPF requests of domain names used to name some of their computer server images.