A threat actor is conducting “highly targeted social engineering attacks” via Microsoft Teams by posing as technical support to breach 365 accounts, the Microsoft Threat Intelligence support team revealed on Wednesday.
The Russia-based threat actor, identified as Midnight Blizzard (previously known as NOBELIUM), has targeted just under 40 organizations globally so far. According to the Microsoft Threat Intelligence team, the ongoing campaign may have “specific espionage objectives.”
Using previously compromised Microsoft 365 tenants, Midnight Blizzard creates domains that appear to be technical support entities.
“Using these domains from compromised tenants, Midnight Blizzard leverages Teams messages to send lures that attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multi-factor authentication (MFA) prompts, the Microsoft Threat Intelligence team said in a blog post.
Microsoft has blocked the threat actor from using fake technical support domains and informed targeted organizations about the attacks. Meanwhile, the Microsoft Threat Intelligence team continues to investigate the attack and is working to remediate its effects.
Midnight Blizzard’s Credential Phishing Attack
Midnight Blizzard has been engaging in malicious activity tracing back to at least early 2018.
The latest credential phishing attack via Microsoft Teams has been observed since late May 2023. The attack also follows a specific pattern — utilizing compromised Microsoft 365 tenants owned by small businesses and employing Teams to send phishing lures to targets for credential theft.
Midnight Blizzard uses security-themed or product name-themed subdomains to add legitimacy to phishing messages. The attack follows a three-step process. The target receives a Microsoft Teams message request from an external user masquerading as a technical support or security team.
If they accept the request, users receive a message convincing them to enter a code into the Microsoft Authenticator app. If the victim complies, the attacker gains access to their 365 account, conducting “post-compromise” activities like information theft and potentially adding a device to circumvent “conditional access policies,” Microsoft added.
Midnight Blizzard has targeted various organizations in the ongoing campaign, including government and non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media organizations.
According to the Microsoft Threat Intelligence team, Midnight Blizzard uses various “token theft techniques” to breach a targeted organization. The threat actor also uses “authentication spear-phishing, password spray, brute force, and other credential attacks.”
Midnight Blizzard has been linked to the Foreign Intelligence Service of the Russian Federation (SVR). This threat actor is tracked under different names by other security researchers, including APT29, UNC2452, and Cozy Bear. Cozy Bear is suspected of being behind the Solar Winds breach in 2020.
Protecting Your Microsoft Accounts From Phishing Attacks
This is not the first time researchers have found threat actors attempting to compromise Microsoft 365 accounts by luring targets into approving multi-factor authentication requests. In February 2022, cybersecurity firm GoSecure reported that threat actors were breaching Microsoft 365 accounts by taking exploiting MFA fatigue.
To mitigate the risk of this threat, Microsoft outlined a list of recommendations, including deploying phishing-resistant authentication, educating users about social engineering, and monitoring sign-in activities.
Microsoft highlighted particular subdomains linked to malicious activities. These domains include msftprotection.onmicrosoft.com, identityVerification.onmicrosoft.com, among others.
To protect your Microsoft Teams account and data from cybercriminals, we recommend using a strong and unique password, enabling MFA, and using Microsoft Authenticator. Also, be careful of messages or requests from external users, verify technical support or security teams before accepting their requests, and report any phishing messages.
Follow us on Twitter, Threads, and Mastodon for the latest news!
