A Russian state-backed hacking group has been caught abusing Microsoft Teams chat app to steal credentials from targeted organizations.
Microsoft’s Threat Intelligence team has linked the attacks to a threat actor it tracks as Midnight Blizzard (more commonly known as Nobelium, Cozy Bear, UNC2452 or APT29), a hacking unit associated with the Foreign Intelligence Service of the Russian Federation (SVR).
In the recent cyber-espionage campaign, the threat actor has been observed using previously hacked Microsoft 365 accounts owned by small businesses to create new domains that appear as technical support entities. These domains were then used to send phishing emails aimed at stealing credentials from a targeted organization.
Microsoft estimated that the attacks impacted less than 40 global organizations. The list of targeted entities includes government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.
The attackers renamed the compromised accounts and added new subdomains and users associated with them, allowing the threat actor to send outbound messages to victims.
The hackers used security-themed or product name-themed keywords to create a new subdomain and new tenant name to lend legitimacy to the messages.
Microsoft says that “Midnight Blizzard either has obtained valid account credentials for the users they are targeting, or they are targeting users with passwordless authentication configured on their account – both of which require the user to enter a code that is displayed during the authentication flow into the prompt on the Microsoft Authenticator app on their mobile device.”
“After attempting to authenticate to an account where this form of MFA is required, the actor is presented with a code that the user would need to enter in their authenticator app. The user receives the prompt for code entry on their device. The actor then sends a message to the targeted user over Microsoft Teams eliciting the user to enter the code into the prompt on their device,” the team explained.
If the victim accepts the message request and enters the code into the Microsoft Authenticator app, the attackers get a token allowing them to gain access to the user’s Microsoft 365 account.
The hackers then proceed to steal information from the compromised account. In some cases, the group has been observed adding “a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only.”