Microsoft says Russia-linked hackers behind dozens of Teams phishing attacks

On August 2, Microsoft researchers reported that a Russian government-linked hacking group has been conducting a highly targeted social engineering attack aimed at stealing login credentials from global organizations. The campaign involves engaging users in Microsoft Teams chats, pretending to be technical support. Since late May, fewer than 40 unique global organizations have been affected by these attacks.

The hackers set up domains and accounts that resembled legitimate technical support channels and attempted to convince Teams users to approve multifactor authentication (MFA) prompts. Multifactor authentication is a widely recommended security measure to prevent credential theft. The fact that the hackers targeted Teams suggests that they are finding new ways to bypass MFA.

The hacking group responsible for these attacks, known as Midnight Blizzard or APT29, has been linked to Russia’s foreign intelligence service by the US and UK governments. The targeted organizations are believed to be in the government, non-governmental organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors. However, the specific targets were not named in the report.

Midnight Blizzard has been known to target organizations in the US and Europe since 2018. In this recent campaign, the hackers used compromised Microsoft 365 accounts owned by small businesses to create new domains that appeared to be legitimate technical support entities with the word “microsoft” in their names. Phishing messages were then sent to users via Teams to bait them into revealing their login credentials. Microsoft has taken measures to mitigate the use of these domains and is actively investigating the attacks.