Attackers behind the Midnight Blizzard Russian threat actor have been posing as security or technical support representatives in Microsoft Teams chats with the aim of compromising targets’ Microsoft 365 accounts.
Researchers with Microsoft on Wednesday said that the threat actor used this “highly targeted” social engineering attack since May to hit 40 global organizations, including ones in the government, IT services, technology, manufacturing and media sectors.
In order to set the stage for their social engineering attack, the actors would first compromise Microsoft 365 tenants for small businesses, typically via token theft tactics or authentication spear-phishing, password spray and brute force attacks. After this initial compromise, the actor would then rename the compromised tenant and add a new subdomain and user for that domain, often using security-themed or product name-themed keywords. They would then use these compromised subdomains to send outbound messages to the target, adding legitimacy to the campaign.
“Using these domains from compromised tenants, Midnight Blizzard leverages Teams messages to send lures that attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multifactor authentication (MFA) prompts,” according to Microsoft researchers in an analysis.
In the next stage in the attack, the threat group used the small businesses’ compromised Microsoft 365 tenants in order to send targeted organizations Microsoft Teams messages, purporting to be a technical support entity. The threat group either would obtain valid account credentials for targeted users or would target users that had passwordless authentication set up. In both these cases, the user would need to enter a code in the authentication process on their Microsoft Authentication mobile app. Here, the actor pretended to be a technical support or security team representative on Microsoft Teams, where they attempted to convince the user to enter a security code into the app on their device.
“After attempting to authenticate to an account where this form of MFA is required, the actor is presented with a code that the user would need to enter in their authenticator app,” said researchers. “The user receives the prompt for code entry on their device. The actor then sends a message to the targeted user over Microsoft Teams eliciting the user to enter the code into the prompt on their device.”
If successful, the threat actor would then be granted a token, which they used to authenticate as the targeted user and ultimately gain access to the victim’s Microsoft 365 account. The attackers typically stole information from the compromised Microsoft 365 tenant as part of their post-compromise activity.
“In some cases, the actor attempts to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only,” said researchers.
Microsoft has notified the compromised customers and blocked the actor from using impacted domains. The threat group, which is also known as Nobelium or APT29 and is affiliated with the Russian Foreign Intelligence Service (SVR), has previously been linked to the SolarWinds intrusion and has launched a number of other attacks, including ones targeting organizations integral to the global IT supply chain. Researchers said that the group continues to be “consistent and persistent” in their operational targeting.
“They utilize diverse initial access methods ranging from stolen credentials to supply chain attacks, exploitation of on-premises environments to laterally move to the cloud, exploitation of service providers’ trust chain to gain access to downstream customers, as well as the Active Directory Federation Service (AD FS) malware known as FOGGYWEB and MAGICWEB,” said researchers.