Microsoft on Wednesday disclosed that it identified a set of highly targeted social engineering attacks mounted by a Russian nation-state threat actor using credential theft phishing lures sent as Microsoft Teams chats.
The tech giant attributed the attacks to a group it tracks as Midnight Blizzard (previously Nobelium). It’s also called APT29, BlueBravo, Cozy Bear, Iron Hemlock, and The Dukes.
“In this latest activity, the threat actor uses previously compromised Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities,” the company said.
“Using these domains from compromised tenants, Midnight Blizzard leverages Teams messages to send lures that attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multi-factor authentication (MFA) prompts.”
Microsoft said the campaign, observed since at least late May 2023, affected less than 40 organizations globally spanning government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.
The threat actor has been observed to utilize token theft techniques for initial access into targeted environments, alongside other methods such as authentication spear-phishing, password spray, and brute-force attacks.
Another known hallmark is its exploitation of on-premises environments to laterally move to the cloud as well as the abuse of service providers’ trust chain to gain access to downstream customers, as observed in the SolarWinds hack of 2020.
In the new round of attacks linked to Midnight Blizzard, a new onmicrosoft.com subdomain is added to a tenant previously compromised in attacks, followed by creating a new user with that subdomain to initiate a Teams chat request with potential targets by masquerading as a technical support person or Microsoft’s Identity Protection team.
“If the target user accepts the message request, the user then receives a Microsoft Teams message from the attacker attempting to convince them to enter a code into the Microsoft Authenticator app on their mobile device,” Microsoft explained.
Should the victim follow through with the instructions, the threat actor is granted a token to authenticate as the targeted user, thereby allowing for account takeover and follow-on post-compromise activity.
“In some cases, the actor attempts to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only,” Microsoft cautioned.
The findings come days after the threat actor was attributed to phishing attacks targeting diplomatic entities throughout Eastern Europe with the goal of delivering a new backdoor called GraphicalProton.
They also follow the discovery of several new Azure AD (AAD) Connect attack vectors that could allow malicious cyber actors to create an undetectable backdoor by stealing cryptographic hashes of passwords by injecting malicious code into a hash syncing process and intercepting credentials by means of an adversary-in-the-middle (AitM) attack.
“For example, attackers can leverage the extraction of NT hashes to ensure they receive every future password change in the domain,” Sygnia said in a statement shared with The Hacker News.
“Threat actors can also use [Active Directory Certificate Services] to obtain AAD Connector passwords, as well as serve as a man-in-the-middle and launch attacks against SSL-encrypted channels in the network by exploiting misconfigurations in certificate templates that have server authentication.”