Since May 2023, a Russian hacker group known as APT29, Midnight Blizzard, UNC2452, or Cozy Bear, allegedly linked to Russia’s Foreign Intelligence Service (SVR), has been targeting international organizations, including government agencies, NGOs, IT service providers, technology, and media companies, using Microsoft Teams. Microsoft disclosed that the attacks involved social engineering tactics, primarily phishing campaigns aiming to steal credentials and multi-factor authentication (MFA) codes through fraudulent Microsoft Teams chats.
The hackers initially gained access by stealing tokens or using other attack techniques to obtain Microsoft 365 tenant credentials. They then sent fake support messages from these compromised accounts to trick recipients into revealing their credentials and MFA codes. A notable strategy included creating new domains under the legitimate Microsoft domain “onmicrosoft.com” to appear trustworthy, facilitating credential theft. Microsoft has notified affected customers and taken steps to prevent further misuse of the exploited domains.
Furthermore, security researchers from Jumpsec reported in June that they bypassed client-side security controls of Microsoft Teams to plant malware in other organizations’ mailboxes. While Microsoft did not see immediate remediation as necessary in this instance, the recent attacks underscore the significance of such vulnerabilities.
The campaign, active since late May 2023, impacted less than 40 organizations globally across various sectors. Midnight Blizzard used token theft, spear-phishing, password spraying, and brute-force attacks for initial access, then exploited on-premises environments to move laterally to the cloud, similar to the SolarWinds hack in 2020. In some attacks, the actor attempted to add devices as managed via Microsoft Entra ID to bypass conditional access policies.
The attacks also involved creating new onmicrosoft.com subdomains and users in previously compromised tenants to start Teams chats, masquerading as technical support or Microsoft’s Identity Protection team, to lure victims. Once the target accepted the chat, they were persuaded to enter a code into their Microsoft Authenticator app, granting the actor a token for account takeover and subsequent activities.
These incidents are part of a broader pattern, including phishing attacks against diplomatic entities in Eastern Europe delivering a new backdoor called GraphicalProton and exploiting Azure AD Connect to create undetectable backdoors and intercept credentials.