Microsoft: Russia-backed Attackers Target Microsoft Teams Users

Microsoft on Wednesday said Russian government-backed cyber attackers known as Midnight Blizzard (also known as NOBELIUM or APT29) are targeting users of the Teams application through authentic-looking chat requests appearing as technical support staff.

The messages are an attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multifactor authentication (MFA) prompts, Microsoft Threat Intelligence warned in a blog post. Hackers used compromised Microsoft 365 accounts owned by small businesses to make new domains that appear to be technical support entities.

“This latest attack, combined with past activity, further demonstrates Midnight Blizzard’s ongoing execution of their objectives using both new and common techniques,” according to the blog post.

The investigation found fewer than 40 unique global organizations were affected by the latest attack campaign. Microsoft said Midnight Blizzard is targeting government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors. “Microsoft has mitigated the actor from using the domains and continues to investigate this activity and work to remediate the impact of the attack.”

Midnight Blizzard (NOBELIUM) is a Russia-based threat actor the US and UK governments say are working with the Foreign Intelligence Service of the Russian Federation (known as SVR). The group’s efforts to collect intelligence for espionage efforts started in 2018.

Midnight Blizzard’s Cold Call Tactics Explained

Microsoft said there are three steps to the attack. First, a user receives a Teams request to chat from a user masquerading as technical support or security team member of the organization.

If the user accepts the message, a Teams message will follow attempting to convince them to enter a code into the Microsoft Authenticator app on a mobile device. Once the targeted user accepts the message request and enters the code into the app, the attackers are granted a token to authenticate as the targeted user and will gain access to the user’s Microsoft 365 account.

Microsoft lists several recommendations to reduce the risk of attack, including deploying phishing-resistant authentication methods, implementing conditional access authentication strength, specifying trusted Microsoft 365 organizations and more. (The complete list of recommendations can be viewed at the bottom of Microsoft’s blog post).

According to the company, there are more than 280 million active Teams users globally.

What to Read Next:

Cyber Espionage Attack Targets Microsoft Email Accounts

NSA Gives Assessment of Cyber Threats from Russia, China, and AI

What Does the National Cybersecurity Strategy Mean for Public and Private Stakeholders?