Microsoft: Russia-backed Attackers Target Microsoft Teams Users

The company says cyber attackers are using a sophisticated ploy to lure Microsoft Teams users under the guise of a tech security chat request.

Shane Snider , Senior Writer, InformationWeek

August 2, 2023

2 Min Read
Microsoft Teams logo with a security padlock
Ink Drop via Alamy Stock

Microsoft on Wednesday said Russian government-backed cyber attackers known as Midnight Blizzard (also known as NOBELIUM or APT29) are targeting users of the Teams application through authentic-looking chat requests appearing as technical support staff.

The messages are an attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multifactor authentication (MFA) prompts, Microsoft Threat Intelligence warned in a blog post. Hackers used compromised Microsoft 365 accounts owned by small businesses to make new domains that appear to be technical support entities.

“This latest attack, combined with past activity, further demonstrates Midnight Blizzard’s ongoing execution of their objectives using both new and common techniques,” according to the blog post.

The investigation found fewer than 40 unique global organizations were affected by the latest attack campaign. Microsoft said Midnight Blizzard is targeting government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors. “Microsoft has mitigated the actor from using the domains and continues to investigate this activity and work to remediate the impact of the attack.”

Midnight Blizzard (NOBELIUM) is a Russia-based threat actor the US and UK governments say are working with the Foreign Intelligence Service of the Russian Federation (known as SVR). The group’s efforts to collect intelligence for espionage efforts started in 2018.

Midnight Blizzard’s Cold Call Tactics Explained

Microsoft said there are three steps to the attack. First, a user receives a Teams request to chat from a user masquerading as technical support or security team member of the organization.

If the user accepts the message, a Teams message will follow attempting to convince them to enter a code into the Microsoft Authenticator app on a mobile device. Once the targeted user accepts the message request and enters the code into the app, the attackers are granted a token to authenticate as the targeted user and will gain access to the user’s Microsoft 365 account.

Microsoft lists several recommendations to reduce the risk of attack, including deploying phishing-resistant authentication methods, implementing conditional access authentication strength, specifying trusted Microsoft 365 organizations and more. (The complete list of recommendations can be viewed at the bottom of Microsoft’s blog post).

According to the company, there are more than 280 million active Teams users globally.

What to Read Next:

Cyber Espionage Attack Targets Microsoft Email Accounts

NSA Gives Assessment of Cyber Threats from Russia, China, and AI

What Does the National Cybersecurity Strategy Mean for Public and Private Stakeholders?

About the Author(s)

Shane Snider

Shane Snider

Senior Writer, InformationWeek, InformationWeek

Shane Snider is a veteran journalist with more than 20 years of industry experience. He started his career as a general assignment reporter and has covered government, business, education, technology and much more. He was a reporter for the Triangle Business Journal, Raleigh News and Observer and most recently a tech reporter for CRN. He was also a top wedding photographer for many years, traveling across the country and around the world. He lives in Raleigh with his wife and two children.

See more from Shane Snider
Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
SIGN-UP

You May Also Like

More Insights
Webinars
More Webinars
Reports
More Reports

Editor's Choice

NHL's Calgary Flames at New Jersey Devils on February 8, 2024 in Newark, NJ
IT Infrastructure
NHL, Presidio, and a Transformation Power Move with Hybrid CloudNHL, Presidio, and a Transformation Power Move with Hybrid Cloud
byJoao-Pierre S. Ruth
Apr 5, 2024
6 Min Read
Online Privacy Security Threat Abstract Background Art
Cyber Resilience
Cyber Risks When Job Hunters Become the HuntedCyber Risks When Job Hunters Become the Hunted
byCarrie Pallardy
Apr 9, 2024
9 Min Read
Business innovative solution and creative concept as a paper boat tied to a light bulb
IT Leadership
9 Ways to Ensure Continuous Innovation9 Ways to Ensure Continuous Innovation
byLisa Morgan
Apr 2, 2024
9 Slides
Hand charging an electric car, leaves and butterflies emerge from the cars exhaust, idea of sustainable transportation. Green energy, eco friendly
Sustainability
Sustainable Transportation Takes OffSustainable Transportation Takes Off
bySamuel Greengard
Mar 26, 2024
5 Min Read
Robotic hand takes a slice out of a coin, representing money
Machine Learning & AI
Special Report: What's Next for the GenAI Market in 2024?Special Report: What's Next for the GenAI Market in 2024
bySara Peters
Mar 12, 2024
3 Min Read
Webinars
More Webinars
White Papers
More White Papers
Live Events
More Live Events
Reports
More Reports
May 2, 2024
While there are plentiful options in cyber resiliency and business continuity tools and platforms, there isn’t one that can knock out everything from sudden cloud outages to prolonged ransomware attacks in a single punch. What can you do to keep the company on its feet no matter what is thrown at it? Find out in this new virtual event.
Reserve Your Seat Now