Microsoft has issued a security advisory about a new Russia-linked hacking group dubbed Midnight Blizzard. The threat actors used Microsoft Teams chat to launch social engineering campaigns (which started in late May) that affected dozens of organizations.
According to the Microsoft threat intelligence team, the hackers (known as APT29) pretend to be technical support staff to compromise Microsoft 365 accounts. They used Microsoft Teams messages to send lures to manipulate users into approving multi-factor authentication (MFA) prompts. For instance, malicious actors attempted to trick the victims to enter a code into the Authenticator app on their mobile devices.
“To facilitate their attack, the actor uses Microsoft 365 tenants owned by small businesses they have compromised in previous attacks to host and launch their social engineering attack. The actor renames the compromised tenant, adds a new onmicrosoft.com subdomain, then adds a new user associated with that domain from which to send the outbound message to the target tenant,” Microsoft explained.
Once hacked, the hacking group performed a series of post-compromise activities, including exfiltrating sensitive information from the Microsoft 365 tenant. The hackers also used Microsoft Entra ID (formerly Azure Active Directory) to add a device to the organization as a managed device. The researchers found that the group has been using various techniques such as password spray, brute force, and authentication spear phishing.
The Microsoft threat intelligence team has traced a “surgical cyberespionage operation” against 40 organizations based in the U.S. and Europe. The attacks target customers in the government, IT services, technology, manufacturing, and media sectors.
Microsoft takes steps to block Microsoft Teams phishing attacks
In response to the attacks, Microsoft has blocked malicious domains and notified the impacted businesses to secure their environments. Moreover, the company detailed a couple of security best practices to prevent similar attacks in the future.
Microsoft urges customers to use Conditional Access policies to provide secure access to both employees and external users. It’s also recommended to use phishing-resistant authentication methods to protect sensitive information in enterprise environments. Microsoft notes that IT Pros should enable Microsoft 365 auditing to investigate audit records (if needed).