Software giant Microsoft on Wednesday sounded an alarm after catching a known Russian government-linked hacking group using its Microsoft Teams chat app to phish for credentials at targeted organizations.
According to a research report from Redmond’s Threat Intelligence team, the hacking team is linked to the Foreign Intelligence Service of the Russian Federation (also known as the SVR) and has been caught targeting government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.
Microsoft has flagged the actor as ‘Midnight Blizzard’ (formerly Nobelium) and warns that the group is using already hacked Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities.
Using these domains from compromised tenants, the researchers found the hackers using Microsoft Teams messages to send lures that attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multifactor authentication (MFA) prompts.
The company said it has traced the targeting to “fewer than 40 unique global organizations,” suggesting a highly surgical cyberespionage operation against targets in the U.S. and Europe.
Microsoft’s researchers provided technical documentation of the newest credential phishing attack that includes the use security-themed domain names in lures.
From the report:
“To facilitate their attack, the actor uses Microsoft 365 tenants owned by small businesses they have compromised in previous attacks to host and launch their social engineering attack. The actor renames the compromised tenant, adds a new onmicrosoft.com subdomain, then adds a new user associated with that domain from which to send the outbound message to the target tenant.
The actor uses security-themed or product name-themed keywords to create a new subdomain and new tenant name to lend legitimacy to the messages. These precursory attacks to compromise legitimate Azure tenants and the use of homoglyph domain names in social engineering lures are part of our ongoing investigation. Microsoft has mitigated the actor from using the domains.”
Microsoft said the hacking team appears to have obtained valid account credentials for the users they are targeting, or they are targeting users with passwordless authentication configured on their account – both of which require the user to enter a code that is displayed during the authentication flow into the prompt on the Microsoft Authenticator app on their mobile device.
“After attempting to authenticate to an account where this form of MFA is required, the actor is presented with a code that the user would need to enter in their authenticator app. The user receives the prompt for code entry on their device. The actor then sends a message to the targeted user over Microsoft Teams eliciting the user to enter the code into the prompt on their device,” the researchers explained.
If the targeted user accepts the message request and enters the code into the Microsoft Authenticator app, the APT group gets a token to authenticate as the targeted user.
“The actor gains access to the user’s Microsoft 365 account, having completed the authentication flow.”
Once the hack is complete, Microsoft said it observed post-compromise activity that includes information theft from the compromised Microsoft 365 tenant. In some cases, the actor attempts to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only.