Microsoft Threat Intelligence has recently detected a series of highly targeted social engineering attacks employing credential theft phishing lures delivered as Microsoft Teams chats.
According to an advisory published by the tech giant on Wednesday, these attacks have been traced back to the threat actor known as Midnight Blizzard, previously identified as Nobelium.
Read more about this threat: Microsoft Attributes New Post-Compromise Capability to Nobelium
The modus operandi of the Russia-based threat actor involves exploiting previously compromised Microsoft 365 tenants owned by small businesses to create seemingly legitimate technical support entities.
Using these domains from compromised tenants, Midnight Blizzard sends messages through Microsoft Teams to steal credentials by persuading users to approve multi-factor authentication (MFA) prompts.
Microsoft’s investigation revealed that roughly 40 global organizations have been affected by this campaign. The targeted sectors indicate specific espionage objectives by Midnight Blizzard, including government, non-government organizations (NGOs), IT services, technology, discrete manufacturing and media entities.
“This is a highly sophisticated phishing scam that would be almost impossible to detect to the untrained eye,” explained My1Login CEO, Mike Newman.
According to the executive, the fact that the attackers exploited a genuine Microsoft domain in their scheme meant that only a vigilant and security-conscious user could have investigated the prompts and identified them as fraudulent.
“As a result of this, even despite the low number of organizations targeted, this attack would have picked up many victims,” Newman explained.
As part of their ongoing efforts to combat this threat, Microsoft has taken measures to prevent the actor from using the domains and is actively working to remediate the impact of the attack. Affected customers have been directly notified.
To protect against such attacks, Microsoft advised organizations to implement phishing-resistant authentication methods, use conditional access authentication strength for critical applications and educate users about social engineering and credential phishing threats.