In a recent blog post by Microsoft and as reported by Reuters, Microsoft Threat Intelligence has revealed the detection of highly targeted social engineering attacks conducted by a threat actor known as Midnight Blizzard (formerly NOBELIUM). The attacks center around credential theft phishing lures delivered via Microsoft Teams chats and have affected fewer than 40 global organizations since late May. Even last month, Microsoft confirmed that services were disrupted and were caused by a Russian hacking group.
Midnight Blizzard, a hacking group linked to the Russian Foreign Intelligence Service (SVR), is notorious for its persistent espionage activities. The group has been targeting various sectors, including government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media, since as far back as 2018.
To facilitate their attacks, the hackers utilized previously compromised Microsoft 365 tenants owned by small businesses to create new domains masquerading as technical support entities. By adopting security-themed keywords and names containing “Microsoft,” the threat actor attempted to lend legitimacy to their phishing messages.
The attack chain targets users with valid credentials or employs passwordless authentication through the Microsoft Authenticator app. The attackers convince the users to enter codes into the app, granting them unauthorized access to their Microsoft 365 accounts.
Despite multifactor authentication (MFA) being a widely recommended security measure, Midnight Blizzard found ways to evade it, raising concerns over the effectiveness of MFA in countering sophisticated social engineering attacks.
Microsoft has taken prompt action to mitigate the threat actor’s use of domains. It is actively investigating and remediating the impact of the attacks. Additionally, the company has notified targeted and compromised customers, providing them with crucial information to secure their environments.
Microsoft Teams boasts more than 280 million active users. Hence, the company advises users to remain cautious when encountering unexpected requests or messages, particularly from unfamiliar sources.
The Russian embassy in Washington has yet to respond to requests for comment on the matter, leaving organizations on high alert for potential further attacks from the persistent and adaptable hacking group Midnight Blizzard.