Microsoft revealed on Wednesday that it has detected a range of meticulously planned social engineering offensives conducted by a Russian state-associated cyber threat actor that uses Microsoft Teams chats as a means for phishing attacks to swipe credentials.
The tech behemoth has linked these cyber offensives to a group it monitors as Midnight Blizzard (formerly known as Nobelium). The group is also referred to as APT29, BlueBravo, Cozy Bear, Iron Hemlock, and The Dukes.
“In these recent operations, the cybercriminal utilizes previously infiltrated Microsoft 365 accounts owned by small businesses to establish new domains that masquerade as technical support entities,” announced the company.
“Through these domains from compromised tenants, Midnight Blizzard manipulates Teams messages to dispatch lures that aim to filch credentials from a targeted organization by involving a user and provoking the approval of multi-factor authentication (MFA) prompts.”
Microsoft reported that the campaign, noticed since at least the end of May 2023, has affected fewer than 40 organizations globally across government, non-government organizations (NGOs), IT services, technology, manufacturing, and media sectors.
The cybercriminal has been noticed to use token theft techniques for initial entry into targeted systems, in addition to other strategies such as spear-phishing for authentication, password spray, and brute-force attacks.
Another distinctive trait is its exploitation of on-premises environments to shift laterally to the cloud as well as its misuse of service providers’ trust chain to gain access to downstream customers, as seen in the SolarWinds hack of 2020.
In this latest wave of attacks linked to Midnight Blizzard, a new onmicrosoft.com subdomain is incorporated into an account previously compromised in attacks. This is followed by creating a new user with that subdomain to initiate a Teams chat invitation with potential targets by impersonating a technical support person or a member of Microsoft’s Identity Protection team.
“If the target user accepts the message request, the user then receives a Microsoft Teams message from the attacker attempting to persuade them to enter a code into the Microsoft Authenticator app on their mobile device,” Microsoft elaborated.
If the victim complies with these instructions, the cybercriminal is awarded a token to authenticate as the targeted user, thereby enabling account takeover and subsequent post-compromise activity.
“In some instances, the actor tries to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), probably in an attempt to bypass conditional access policies set to limit access to specific resources to managed devices only,” Microsoft warned.
These findings are disclosed just days after the cybercriminal was attributed to phishing attacks targeting diplomatic bodies across Eastern Europe with the aim of deploying a new backdoor named GraphicalProton.
These revelations also succeed the uncovering of several new Azure AD (AAD) Connect attack routes that could let malevolent cyber actors create an undetectable backdoor by stealing cryptographic hashes of passwords by injecting harmful code into a hash syncing process and intercepting credentials via an adversary-in-the-middle (AitM) attack.