Scroll Top

Microsoft reveals sophisticated phishing tactics by Midnight Blizzard APT via Microsoft Teams chats

637fa35fe9e61f31b7e97142_MS teams

Microsoft has revealed a series of highly targeted social engineering attacks conducted by a Russian nation-state threat actor known as Midnight Blizzard (previously Nobelium), exposing their sophisticated credential theft phishing tactics using Microsoft Teams chats.

According to Microsoft, the threat actor employs previously compromised Microsoft 365 tenants belonging to small businesses to create new domains, posing as technical support entities. Using these domains, Midnight Blizzard sends Teams messages containing phishing lures to steal credentials from targeted organizations. The attackers engage users and try to elicit approval for multi-factor authentication (MFA) prompts.

The campaign, which has been ongoing since late May 2023, has affected less than 40 organizations globally. The victims span various sectors, including government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media.

Midnight Blizzard is known for using token theft techniques to gain initial access to targeted environments. Additionally, they utilize methods such as authentication spear-phishing, password spray, and brute-force attacks. The group’s tactics also include exploiting on-premises environments to laterally move to the cloud, as well as abusing service providers’ trust chains to gain access to downstream customers.

In the recent attacks linked to Midnight Blizzard, the threat actors add a new subdomain to a previously compromised tenant. They then create a new user with that subdomain to initiate Teams chat requests, posing as technical support personnel or Microsoft’s Identity Protection team. If the targeted user accepts the message request, they receive a Microsoft Teams message from the attacker, convincing them to enter a code into the Microsoft Authenticator app on their mobile device.

Upon successful manipulation of the victim, the threat actor obtains a token to authenticate as the targeted user, enabling them to take over the account and execute post-compromise activities. Microsoft has observed that the attacker, in some cases, attempts to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory) to circumvent conditional access policies restricting access to managed devices only.

These findings come in the wake of recent attacks attributed to Midnight Blizzard, targeting diplomatic entities in Eastern Europe with a new backdoor called GraphicalProton. Additionally, new Azure AD (AAD) Connect attack vectors have been discovered, allowing cyber actors to create undetectable backdoors by stealing cryptographic hashes of passwords through a hash syncing process and conducting adversary-in-the-middle (AitM) attacks to intercept credentials.

The threat landscape continues to evolve, and cybercriminals are employing increasingly sophisticated techniques to breach organizations’ security defenses. advises all Microsoft 365 users and organizations to remain vigilant against phishing attempts and promptly implement security updates provided by Microsoft. Regular user education and strong authentication practices, such as using MFA, are crucial to mitigating the risk of falling victim to such targeted attacks.

Related Posts

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.