Russian hackers implicated in Teams phishing attacks
Software giant Microsoft says threat actor Midnight Blizzard, also known as Nobelium, is behind the latest social engineering phishing attacks sent over Microsoft Teams chats.
In a blog post, Microsoft reveals Midnight Blizzard used previously compromised Microsoft 365 tenants owned by small businesses and created new domains that appear as technical support entities.
According to the company, the phishing campaign affected fewer than 40 global organisations and is focused on accessing information from targeted organisations.
Targeted users received a Teams message request from an external user posing as a technical support team or security team of that organisation.
“The organisations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organisations (NGOs), IT services, technology, discrete manufacturing and media sectors,” Microsoft explains.
“As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.”
Microsoft notes it has mitigated the actor from using the domains and continues to investigate the phishing attacks.
Midnight Blizzard is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, according to Microsoft. It’s said to primarily target governments, diplomatic entities, NGOs and IT service providers in the US and Europe.
Focused on collecting intelligence through long-standing and dedicated surveillance of foreign interests, Midnight Blizzard’s attacks can be traced back to early 2018.
In 2021, Microsoft revealed that more than 140 resellers and technology service providers had been targeted by the Russian nation-state actor through the Azure cloud service.
In the latest phishing attacks, the threat actor used domains from compromised tenants to send Teams messages to attempt to steal credentials from a targeted organisation by engaging a user and eliciting approval of multifactor authentication prompts.