Microsoft Teams
Image: Dimitri Karastalev via Unsplash

Russian government hackers sent phishing lures masquerading as Microsoft Teams chats

Hackers tied to the Russian government used Microsoft Teams chats as phishing lures in “highly targeted social engineering attacks,” according to security officials at Microsoft.

The tech giant said on Wednesday it uncovered a campaign by a prolific Russian hacking group they call Midnight Blizzard but is most commonly known as NOBELIUM, Cozy Bear or APT29. The group is part of the Foreign Intelligence Service of the Russian Federation, according to U.S. and U.K law enforcement agencies.

In the attacks, which began in May, the hackers use previously compromised Microsoft 365 accounts owned by small businesses to create new domains mimicking technical support sites.

“Using these domains from compromised tenants, Midnight Blizzard leverages Teams messages to send lures that attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multifactor authentication (MFA) prompts,” Microsoft Threat Intelligence explained in a blog on Wednesday afternoon.

“Our current investigation indicates this campaign has affected fewer than 40 unique global organizations. The organizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.”

The hackers renamed the compromised accounts and added new users, allowing them to send outbound messages to victims.

They typically used security- or product name-themed keywords in the new name in order to get victims to open the messages. Microsoft said that while they have stopped the group from using the compromised domains, they are still investigating the incident and the wider campaign to compromise legitimate Azure tenants.

The hackers have either “obtained valid account credentials for the users they are targeting, or they are targeting users with passwordless authentication configured on their account – both of which require the user to enter a code that is displayed during the authentication flow into the prompt on the Microsoft Authenticator app on their mobile device.”

“After attempting to authenticate to an account where this form of MFA is required, the actor is presented with a code that the user would need to enter in their authenticator app,” they explained.

“The user receives the prompt for code entry on their device. The actor then sends a message to the targeted user over Microsoft Teams eliciting the user to enter the code into the prompt on their device.”

The victims receive a Microsoft Teams message request purporting to be from someone claiming to be part of technical support or cybersecurity staff.

If accepted, the victims are prompted to enter a code into the Microsoft Authenticator app on their mobile device.

From there, if the victim enters the code, the hacker is given a token that authenticates them, allowing them access to the victim’s Microsoft 365 account.

Microsoft said the hackers typically attempted to steal information or add devices to the organization’s account in an attempt to “circumvent conditional access policies configured to restrict access to specific resources to managed devices only.”

The customers targeted have been notified of the incident.

Microsoft said this latest campaign from Midnight Blizzard is part of a longstanding effort by the group to gain initial access to accounts through a variety of methods, including stolen credentials, supply chain attacks, exploitation of on-premises environments and more.

“Midnight Blizzard regularly utilizes token theft techniques for initial access into targeted environments, in addition to authentication spear-phishing, password spray, brute force, and other credential attacks,” Microsoft said, adding that it “has been identified as a subset of broader credential attack campaigns that we attribute to Midnight Blizzard.”

The situation mirrors a recent controversy the tech giant has faced in recent weeks, where Chinese government hackers exploited another token system to gain access to the email accounts of several high-ranking U.S. government officials.

Correction: A previous version of this article incorrectly identified Russia's Foreign Intelligence Service as a military organization.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.