Phishing Attack Unveiled: Microsoft Teams Exposed Russian Hackers by Checking Chats

Microsoft revealed today that it had identified a series of highly targeted social engineering attacks by a Russian nation-state threat actor. These attacks involved phishing tactics sent through Microsoft Teams chats to steal credentials from targeted organizations. 

Midnight Blizzard (APT29, BlueBravo, Cozy Bear, Iron Hemlock, and The Dukes) is the group behind these attacks.

Ngl this stuff worries me https://t.co/l6QepPxvvO pic.twitter.com/GhTaQpoeq4

— Florian Roth (@cyb3rops) August 2, 2023

Threat actors and their evolving tactics

In these recent attacks, the threat actor used previously compromised Microsoft 365 tenants owned by small businesses to create new domains that appeared as technical support entities. They leveraged Team’s messages to engage and prompt them to approve multi-factor authentication (MFA) prompts, attempting to steal their credentials.

The campaign has affected less than 40 organizations globally, spanning various sectors like government, NGOs, IT services, technology, manufacturing, and media.

Microsoft has detected increased credential attack activity by the threat actor Midnight Blizzard using residential proxy services to obfuscate the source of their attacks. These attacks target governments, IT service providers, NGOs, defense industry, and critical manufacturing.

— Microsoft Threat Intelligence (@MsftSecIntel) June 21, 2023

Midnight Blizzard has been observed using 

• token theft techniques for initial access to targeted environments and other methods like authentication spear-phishing, password spray, and brute-force attacks. 
• They also exploit on-premises environments to move laterally to the cloud and abuse service providers’ trust chain to gain access to downstream customers.

Source: Microsoft

• The threat actor adds a new onmicrosoft.com subdomain to a previously compromised tenant in these new attacks.
• Creates a new user to initiate Teams chat requests, posing as technical support or Microsoft’s Identity Protection team.

A Microsoft Teams prompt with code and instructions.

• If the target accepts the message request, they receive a Microsoft Teams message convincing them to enter a code into the Microsoft Authenticator app on their mobile device. 
• Following these instructions grants the threat actor a token to authenticate as the targeted user, leading to account takeover and post-compromise activities.

What’s to extract?

These attacks highlight the need for organizations to protect their credentials and adopt robust security measures to defend against such sophisticated threats. Maintaining goodwill in the market is essential for all organizations to keep up with their business. Having security practices as a part of their strategic planning is what is required.