Microsoft Teams Chats Reveal Russian Hackers’ Sneaky Phishing Tactics

Microsoft Reports Russian Hacking Group, Midnight Blizzard, Using Microsoft Teams Phishing Lures for Credential Theft

Microsoft has revealed that Midnight Blizzard, a Russian nation-state threat actor, has been behind a recent spate of highly targeted social engineering attacks. Specifically, the group is using credential theft phishing lures disguised as Microsoft Teams chats. Midnight Blizzard is also known as APT29, BlueBravo, Cozy Bear, Iron Hemlock, and The Dukes.

The Russian group is creating new technical support domain names using previously compromised Microsoft 365 tenants belonging to small businesses. It then uses these domains to target less than 40 organizations worldwide, such as government, non-government organizations, IT services, technology, discrete manufacturing, and media industries.

To initiate the Teams chat request, the group creates a new user with a specific subdomain previously added to a tenant. The attacker poses as a technical support person or member of Microsoft’s Identity Protection team. The victim is then encouraged to enter a code into the Microsoft Authenticator app on their mobile device. If the victim follows the instructions, the attacker is granted a token to authenticate as the targeted user, enabling a possible account takeover.

According to Microsoft, Midnight Blizzard is observed to use a range of techniques, including token theft techniques, authentication spear-phishing, password sprays, and brute-force attacks to gain initial access to a targeted company. It also exploits on-premises environments to laterally move to the cloud. It is worth noting that the same group was responsible for the SolarWinds hack of 2020.

These latest revelations have come just days after the group was identified as responsible for phishing attacks aimed at diplomatic entities across Eastern Europe. The group uses these attacks to deliver a new backdoor called GraphicalProton. Additionally, several new attack vectors have been identified that could allow malicious cyber actors to create an undetectable backdoor by stealing cryptographic hashes of passwords.