Microsoft Exposes Russian Government Hackers’ Phishing Scheme through Teams Chat App

In a concerning revelation, software giant Microsoft has announced that a Russian government-linked hacking group is using its Microsoft Teams chat app to carry out phishing attacks on targeted organizations. This group, known as ‘Midnight Blizzard’ (formerly Nobelium), is linked to the Foreign Intelligence Service of the Russian Federation (SVR) and has been observed targeting various sectors, including government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media.

Microsoft‘s research report indicates that this highly sophisticated hacking group is using already compromised Microsoft 365 tenants owned by small businesses to create new domains that masquerade as legitimate technical support entities. By leveraging these domains, the hackers are able to send phishing messages through Microsoft Teams, attempting to steal credentials from targeted organizations by engaging users and eliciting approval of multifactor authentication prompts.

According to Microsoft, this cyberespionage operation appears to be highly surgical, with targeting observed at fewer than 40 unique global organizations. This suggests that the group is focusing its efforts on specific targets primarily in the United States and Europe.

### The Phishing Attack Techniques

To facilitate their attack, the Midnight Blizzard group takes advantage of previously compromised Microsoft 365 tenants to host and launch their social engineering attacks. They create new subdomains and tenants using security-themed or product name-themed keywords to lend credibility to their phishing messages. In some cases, the hackers have obtained valid account credentials for the targeted users, while in others, they are specifically targeting users with passwordless authentication configurations, which require users to enter a code displayed on the Microsoft Authenticator app on their mobile devices.

The phishing attack begins when the hackers send a message to the targeted user over Microsoft Teams, requesting the user to enter a code into the Microsoft Authenticator app. If the user accepts the message request and enters the code, the hackers gain access to the user’s Microsoft 365 account, completing the authentication flow. Once the compromise is successful, Microsoft has observed post-compromise activities, including information theft from the compromised Microsoft 365 tenant. Additionally, the hackers attempt to add a managed device via Microsoft Entra ID, potentially to bypass conditional access policies.

### The Implications and Recommendations

The fact that a Russian government-linked hacking group is exploiting a widely used communication and collaboration platform like Microsoft Teams should serve as a wake-up call to organizations worldwide. This incident highlights the need for robust cloud security measures and increased vigilance in the face of sophisticated cyber threats.

Organizations must prioritize cybersecurity and implement multiple layers of protection. This includes regularly updating software and maintaining strong passwords, enabling multi-factor authentication, and implementing security measures specifically catered to cloud services, such as identity and access management solutions. Additionally, employee education and awareness programs can help mitigate the risk of falling victim to phishing attacks by training employees to recognize and report suspicious messages and activities.

It is crucial for companies to regularly review and improve their security practices to stay one step ahead of cybercriminals. This incident also raises questions about the responsibility of tech companies to ensure the security of their platforms and protect their users from state-sponsored hacking groups. While Microsoft has taken swift action to mitigate this particular attack, ongoing collaboration between technology companies, governments, and cybersecurity experts will be essential in combating these threats effectively.

In a world where digital communication and collaboration platforms are integral to modern business operations, it is essential that organizations remain vigilant and proactive in their cybersecurity efforts. This incident serves as a reminder that no software platform is immune to the persistent and evolving threat landscape, and organizations must be prepared to invest in the necessary security measures to protect sensitive data and maintain the trust of their stakeholders.