French presidential frontrunner Emmanuel Macron has qualified for next month’s runoff election, but a Russian government-linked group seems to eager to slow down the campaign’s progress.

The group created phishing domains related to the campaign

According to research from cybersecurity firm Trend Micro, members of the hacking team known as Fancy Bear — called Pawn Storm by the report’s author — created phishing domains related to the Macron campaign, such as “onedrive-en-marche.fr,” plausibly similar to En Marche!, Macron’s political party. The domains were spotted by the researchers as they were created by the group, which likely used them in an attempt to steal credentials and hack the Macron campaign.

“Pawn Storm is known to prepare their credential phishing attacks well,” the report’s researcher, Feike Hacquebord, wrote in an email to The Verge.

The Macron campaign’s digital director confirmed to the Wall Street Journal that phishing attempts were used against the campaign, and said measures were taken to block emails leading to the fake domains. The campaign has previously made allegations that Russia was launching hacking campaigns against Macron staff.

The first round of the French election, in which all candidates are given as choices, was held on Sunday. Macron edged out the far-right candidate Marine Le Pen and is now expected to win a runoff election between the two. Le Pen, a staunch EU critic, has suggested France make a closer alignment with Russia.

Fancy Bear was infamously linked to hacks during the 2016 US presidential election, as emails from Hillary Clinton Campaign Chair John Podesta and the Democratic National Committee were released and later tied to interference from the group, which the US government has alleged is back by the Russian government.