How Russia-linked hackers launched their latest attack using Microsoft Teams

Security researchers at Microsoft have issued a warning over a Russia-linked hacker group that has targeted dozens of organizations in a sophisticated phishing campaign leveraging Microsoft Teams. 

Detailed in an advisory on Wednesday, researchers uncovered a series of “highly targeted social engineering attacks” that used credential theft phishing lures sent as Microsoft Teams chat messages. 

The group, which Microsoft said is linked to Russian intelligence services, was identified as ‘Midnight Blizzard’, previously known as Nobelium. The group’s activities can be traced back as early as 2018, the firm said. 

Microsoft warned that the latest wave of attacks by the group highlights the aggressive activities using “both new and common techniques”.

Exploiting Microsoft Teams for phishing attacks

In its advisory, Microsoft said that the threat actor group focused specifically on Microsoft Teams using previously compromised Microsoft 365 accounts. 

This allowed attackers to create new onmicrosoft.com subdomains that “appear as technical support entities” and enabled them to contact potential victims. 

These subdomains used “security-themed or product name-themed keywords” and were designed to lend legitimacy to the messages directed at targets. 

Examples of compromised subdomains cited by Microsoft included: 

“To facilitate their attack, the actor uses Microsoft 365 tenants owned by small businesses they have compromised in previous attacks to host and launch their social engineering attack,” researchers said.

“The actor renames the compromised tenant, adds a new onmicrosoft.com subdomain, then adds a new user associated with that domain from which to send the outbound message to the target tenant.”

These malicious domains were thereafter used in a sophisticated social engineering scheme that harnessed the Teams chat function to send phishing messages designed to steal login and multi-factor authentication (MFA) credentials. 

In an example of a message directed at a target, Microsoft found that the attackers attempted to dupe users to enter a code into the Microsoft Authenticator app on their mobile devices. 

“We detected a recent change applied to your preferred Multi-Factor Authentication (MFA) methods. For your security and to ensure only you have access to your account, we will ask you to verify your identity. Open your authenticator app, and enter the number: 81,” the message read. 

Microsoft said this latest campaign bears similarities to previous attacks waged by Midnight Blizzard. The group has been observed “regularly utilizing token theft techniques for initial access into targeted environments”. 

The group has also been observed employing authentication spear phishing, password spray, brute force, and other credential-related attacks. 

“The attack pattern observed in malicious activity since at least late May 2023 has been identified as a subset of broader credential attack campaigns that we attribute to Midnight Blizzard.”

Limited impact

Microsoft’s investigation of the phishing campaign found that it has affected “fewer than 40 unique global organizations” but gave no additional information on who these victims were other than the sectors they operated in. 

This included organizations operating in the government, IT services, technology, manufacturing, and media sectors. 

However, given the sectors in which these organizations operated, researchers said that the campaign indicated “specific espionage objectives” given to the group. 

In its response to the attacks, Microsoft said it has since prevented the group from using the compromised domains but advised organizations to remain vigilant and employ a number of practices to reduce future threats. 

This includes deploying “phishing-resistant” authentication methods for users and implementing Conditional Access authentication that requires phishing-resistant authentication for “employees and external users for critical apps”.