The Russian cyber threat actor Midnight Blizzard (Nobelium, APT29, UNC2452, Cozy Bear) is conducting a highly targeted phishing and social engineering campaign via Microsoft Teams to gain persistent access to Microsoft 365 environments. The United States and the United Kingdom believe Midnight Blizzard to be part of the Foreign Intelligence Service of the Russian Federation (SVR). The threat actor seeks persistent access to networks for espionage purposes and achieves this by compromising valid accounts, often using advanced techniques to compromise authentication mechanisms within a compromised organization to expand access and evade detection. The group employs diverse tactics to breach organizations, including phishing and spear phishing, supply chain attacks, exploitation of vulnerabilities, and attacks on service providers to exploit the trust chain and gain access to the networks of their downstream customers.
The latest campaign has largely been focused on government entities, non-government organizations (NGOs), IT service providers, technology firms, and manufacturing and media companies that meet the threat actor’s specific espionage objectives. The campaign has been active since late May 2023 and most of the targeted organizations have been in the United States and Europe. The threat actor uses compromised Microsoft 365 tenants owned by small businesses to create domains that appear to be technical support entities. The domains are then used to send malicious Microsoft Teams messages to targeted companies and individuals, with technical support-related lures used to trick victims into disclosing their credentials and multifactor authentication codes.
According to Microsoft’s Threat Intelligence Team, Midnight Blizzard uses the compromised Microsoft 365 tenants for their social engineering attacks, renaming the compromised tenant, adding a new onmicrosoft.com subdomain, and then adding a new user associated with that domain for sending outbound messages. Security- and product-themed keywords are employed in the creation of the subdomains to make the messages appear to be legitimate. Microsoft has detected less than 40 successful compromises so far, indicating this is a highly targeted campaign. In those attacks, the threat actor has either obtained valid credentials for the targets or has exploited passwordless authentication, both of which require the user to enter a Microsoft Authenticator app code during the authentication process.
The user receives a code on their mobile device, and the threat actor messages the victim via Microsoft Teams and tries to get them to enter the code into the prompt on their device. If the message request is accepted and the code is entered, the threat actor will be provided with a token to authenticate as the targeted user, thus gaining access to their Microsoft 365 account. Once access has been gained, the threat actor steals information from the Microsoft 365 account – including Outlook, Teams, and Microsoft Office. In some of the attacks, the threat actor attempted to add a device as a managed device via Microsoft Entra ID (formerly Azure Active Directory), to circumvent conditional access policies. The threat actor then pivots to Azure Active Directory environments to achieve a much more extensive compromise.
This campaign is difficult for targeted users to identify, as a genuine Microsoft domain is used in the scam. Microsoft recommends deploying phishing-resistant multifactor authentication, using whitelists of trusted external domains for trusted Microsoft 365 organizations, auditing Microsoft 365 accounts, only allowing known devices to connect that adhere to Microsoft’s recommended security baselines, and educating users about social engineering and phishing attacks, including attacks that seek access to MFA codes.