Microsoft has identified the bad actors responsible for a recent phishing attack on Teams.
The tech giant recently revealed that a Russian-government-linked hacking group is behind the phishing attacks that affected no more than 40 government organizations worldwide in the past few days.
Microsoft suggests that Teams users, particularly those in government organizations, start using phishing-resistant authentication methods to reduce their risk of falling victim to the hacking group.
From Russia With Love
Microsoft mentioned in its announcement that its Threat Intelligence found that the Midnight Blizzard hacking group was the perpetrator behind the phishing attacks on Microsoft Teams since late May.
The hacking group, previously tracked as NOBELIUM, utilized highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chats to less than 40 organizations.
These organizations Midnight Blizzard targeted are connected to the government, NGOs, IT services, technology, discrete manufacturing, and media sectors.
Microsoft believes that the targeting of these organizations likely indicates specific espionage objectives by Midnight Blizzard. To get the credentials it wants, Midnight Blizzard used previously compromised Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities.
With these domains from compromised tenants, the hacking group will then send Microsoft Teams messages to send lures to potential victims. The hacking group intends to manipulate its victims into approving multifactor authentication (MFA) prompts to give it access and steal its victim's credentials.
Read More: Canon Printers Retain Wi-Fi Information Even After Factory Reset
Since the messages came from the legitimate onmicrosoft.com domain, the fake Microsoft messages will appear trustworthy, giving potential victims a good reason to trust them. Thankfully, Microsoft has mitigated Midnight Blizzard from using the domains it compromised.
In the meantime, Microsoft continues to investigate the hacking group's activity and work to remediate the impact of its attack. The tech giant has also directly notified targeted or compromised customers, providing them with important information needed to secure their environments.
Midnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR, according to Microsoft. It is known to primarily target governments, diplomatic entities, non-government organizations (NGOs), and IT service providers in the US and Europe.
The group's main goal is to collect intelligence through "longstanding and dedicated espionage of foreign interests," which it has done since early 2018.
The Russian embassy in Washington didn't immediately respond to a request for comment from Reuters as of press time.
How To Protect Yourself Against Phishing Attacks
Microsoft recommends users and companies start deploying phishing-resistant authentication methods to prevent bad actors from accessing their potentially compromised accounts. These methods include Microsoft Authenticator, security keys, and Certificate-based authentication, per Microsoft's Learn page.
Additionally, employees from affected companies must be alert for any suspicious logins in the foreseeable future and mark any suspicious logins as "This wasn't me."
Furthermore, Microsoft recommends that organizations specify trusted Microsoft 365 organizations to define which external domains are allowed or blocked to chat and meet.
Related Article: Microsoft Teams Allows Spatial Audio for Immersive Conference Call
