How Russia-linked hackers launched their latest attack using Microsoft Teams

Russian hackers using Teams: The Microsoft Teams logo on a smartphone around stationary
(Image credit: Getty Images)

Security researchers at Microsoft have issued a warning over a Russia-linked hacker group that has targeted dozens of organizations in a sophisticated phishing campaign leveraging Microsoft Teams. 

Detailed in an advisory on Wednesday, researchers uncovered a series of “highly targeted social engineering attacks” that used credential theft phishing lures sent as Microsoft Teams chat messages. 

The group, which Microsoft said is linked to Russian intelligence services, was identified as ‘Midnight Blizzard’, previously known as Nobelium. The group’s activities can be traced back as early as 2018, the firm said. 

Microsoft warned that the latest wave of attacks by the group highlights the aggressive activities using “both new and common techniques”.

Exploiting Microsoft Teams for phishing attacks

In its advisory, Microsoft said that the threat actor group focused specifically on Microsoft Teams using previously compromised Microsoft 365 accounts. 

This allowed attackers to create new onmicrosoft.com subdomains that “appear as technical support entities” and enabled them to contact potential victims. 

These subdomains used “security-themed or product name-themed keywords” and were designed to lend legitimacy to the messages directed at targets. 

Examples of compromised subdomains cited by Microsoft included: 

“To facilitate their attack, the actor uses Microsoft 365 tenants owned by small businesses they have compromised in previous attacks to host and launch their social engineering attack,” researchers said.

“The actor renames the compromised tenant, adds a new onmicrosoft.com subdomain, then adds a new user associated with that domain from which to send the outbound message to the target tenant.”

These malicious domains were thereafter used in a sophisticated social engineering scheme that harnessed the Teams chat function to send phishing messages designed to steal login and multi-factor authentication (MFA) credentials. 

RELATED RESOURCES

This webinar discusses what zero trust is, and how it can help your organization right the wrongs of legacy security architecture

(Image credit: Zscaler)

Why your business needs zero trust

There is a never ending race between cyber attackers and businesses. Find out more about what zero trust with this webinar.

DOWNLOAD FOR FREE

In an example of a message directed at a target, Microsoft found that the attackers attempted to dupe users to enter a code into the Microsoft Authenticator app on their mobile devices. 

“We detected a recent change applied to your preferred Multi-Factor Authentication (MFA) methods. For your security and to ensure only you have access to your account, we will ask you to verify your identity. Open your authenticator app, and enter the number: 81,” the message read. 

Microsoft said this latest campaign bears similarities to previous attacks waged by Midnight Blizzard. The group has been observed “regularly utilizing token theft techniques for initial access into targeted environments”. 

The group has also been observed employing authentication spear phishing, password spray, brute force, and other credential-related attacks. 

“The attack pattern observed in malicious activity since at least late May 2023 has been identified as a subset of broader credential attack campaigns that we attribute to Midnight Blizzard.”

Limited impact

Microsoft’s investigation of the phishing campaign found that it has affected “fewer than 40 unique global organizations” but gave no additional information on who these victims were other than the sectors they operated in. 

This included organizations operating in the government, IT services, technology, manufacturing, and media sectors. 

However, given the sectors in which these organizations operated, researchers said that the campaign indicated “specific espionage objectives” given to the group. 

In its response to the attacks, Microsoft said it has since prevented the group from using the compromised domains but advised organizations to remain vigilant and employ a number of practices to reduce future threats. 

This includes deploying “phishing-resistant” authentication methods for users and implementing Conditional Access authentication that requires phishing-resistant authentication for “employees and external users for critical apps”. 

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.