Russian hackers abuse Microsoft Teams for credential theft

Russian hackers abuse Microsoft Teams for credential theft

A Russian state-backed hacking group has been caught abusing Microsoft Teams chat app to steal credentials from targeted organizations.

Microsoft’s Threat Intelligence team has linked the attacks to a threat actor it tracks as Midnight Blizzard (more commonly known as Nobelium, Cozy Bear, UNC2452 or APT29), a hacking unit associated with the Foreign Intelligence Service of the Russian Federation (SVR).

In the recent cyber-espionage campaign, the threat actor has been observed using previously hacked Microsoft 365 accounts owned by small businesses to create new domains that appear as technical support entities. These domains were then used to send phishing emails aimed at stealing credentials from a targeted organization.

Microsoft estimated that the attacks impacted less than 40 global organizations. The list of targeted entities includes government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.

The attackers renamed the compromised accounts and added new subdomains and users associated with them, allowing the threat actor to send outbound messages to victims.

The hackers used security-themed or product name-themed keywords to create a new subdomain and new tenant name to lend legitimacy to the messages.

Microsoft says that “Midnight Blizzard either has obtained valid account credentials for the users they are targeting, or they are targeting users with passwordless authentication configured on their account – both of which require the user to enter a code that is displayed during the authentication flow into the prompt on the Microsoft Authenticator app on their mobile device.”

“After attempting to authenticate to an account where this form of MFA is required, the actor is presented with a code that the user would need to enter in their authenticator app. The user receives the prompt for code entry on their device. The actor then sends a message to the targeted user over Microsoft Teams eliciting the user to enter the code into the prompt on their device,” the team explained.

If the victim accepts the message request and enters the code into the Microsoft Authenticator app, the attackers get a token allowing them to gain access to the user’s Microsoft 365 account.

The hackers then proceed to steal information from the compromised account. In some cases, the group has been observed adding “a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only.”


Back to the list

Latest Posts

Kosovo man extradited to US for running BlackDB.cc criminal marketplace

Kosovo man extradited to US for running BlackDB.cc criminal marketplace

If convicted on all counts, Masurica faces up to 55 years in federal prison.
14 May 2025
Multiple actively exploited zero-days patched in Microsoft, Ivanti, and Fortinet products

Multiple actively exploited zero-days patched in Microsoft, Ivanti, and Fortinet products

Microsoft shipped patches for over 70 flaws, five of which have been flagged as actively exploited zero-day bugs.
14 May 2025
Chinese hackers exploit SAP NetWeaver in cyber campaigns targeting critical infrastructure

Chinese hackers exploit SAP NetWeaver in cyber campaigns targeting critical infrastructure

The flaw was exploited to gain access to enterprise systems globally.
14 May 2025