Microsoft has reported a new credential phishing attack organized by the Russia-based threat actor known as Midnight Blizzard (or NOBELIUM). This latest attack targets organizations in the government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.
According to Microsoft, the campaign uses compromised Microsoft 365 accounts belonging to small businesses to register domains posing as technical support entities. The actors then send phishing lures via Teams chat, pretending to be from these entities.
To facilitate their attack, the actor uses Microsoft 365 tenants owned by small businesses they have compromised in previous attacks to host and launch their social engineering attack. The actor renames the compromised tenant, adds a new onmicrosoft.com subdomain, then adds a new user associated with that domain from which to send the outbound message to the target tenant.
The goal is to trick targeted users into approving multifactor authentication (MFA) prompts, allowing the attackers to steal login credentials. Microsoft says fewer than 40 organizations globally have been affected so far.
Microsoft's Teams platform has garnered a significant user base in the IT industry, with over 280 million active users.
The organizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.
This shows Midnight Blizzard's persistence in pursuing espionage objectives through social engineering despite repeated takedowns. Their techniques include stealing credentials via phishing and exploiting trust between cloud providers and customers.
Microsoft has turned off the malicious domains and continues to monitor the campaign. They have notified impacted customers to help secure environments.
Midnight Blizzard, tracked by some as APT29, UNC2452, and Cozy Bear, has been attributed to Russia's SVR intelligence agency. Their "cyberespionage campaigns" typically focus on government, diplomatic, and NGO targets in the US and Europe.
Meanwhile, Microsoft reported in July that a group of Chinese hackers got access to government email accounts in the US and Europe. And then, U.S. Senator Ron Wyden has asked the Department of Justice, the Federal Trade Commission, and the Cybersecurity and Infrastructure Security Agency (CISA) to investigate the hack of Microsoft email accounts.
Microsoft urges organizations to enforce security best practices and treat unsolicited authentication prompts as suspicious.