A Russian government-linked group of hackers has launched multiple campaigns to steal login details within Microsoft Teams chats by pretending to be technical support, according to a blog published by Microsoft last week.
The group, known as Midnight Blizzard, used both new and common techniques. In this latest activity, it used previously compromised Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities.
Using these domains from compromised tenants, Midnight Blizzard uses Teams messages to send lures that attempt to steal credentials from a targeted organisation by engaging a user and eliciting approval of multifactor authentication (MFA) prompts.
The blog states, "The organisations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organisations (NGOs), IT services, technology, discrete manufacturing, and media sectors. Microsoft has mitigated the actor from using the domains and continues to investigate this activity and work to remediate the impact of the attack. As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.
"Midnight Blizzard (Nobelium) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR. This threat actor is known to primarily target governments, diplomatic entities, non-government organisations (NGOs), and IT service providers primarily in the US and Europe. Their focus is to collect intelligence through longstanding and dedicated espionage of foreign interests that can be traced to early 2018. Their operations often involve compromise of valid accounts and, in some highly targeted cases, advanced techniques to compromise authentication mechanisms within an organisation to expand access and evade detection."