Microsoft has reported that a hacking group known as APT29, which is linked to Russia’s Foreign Intelligence Service (SVR), conducted phishing attacks on dozens of organisations worldwide, including government agencies, using Microsoft Teams.
According to Microsoft, this campaign targeted fewer than 40 unique global organisations and appeared to be focused on specific espionage objectives by a group called Midnight Blizzard. The targets included government agencies, non-governmental organisations (NGOs), IT services, technology, discrete manufacturing, and media sectors.
The attackers used compromised Microsoft 365 tenants to create new technical support-themed domains and sent tech support lures to trick users of the targeted organisations through social engineering tactics. The goal was to manipulate users into granting approval for multifactor authentication (MFA) prompts, enabling the threat actors to steal their login credentials.
To appear more trustworthy, the threat actors sent messages from legitimate onmicrosoft.com domains, which are automatically used by Microsoft 365 for fallback purposes if a custom domain is not created.
The ultimate objective of the attack was to obtain the targeted users’ credentials. In some cases, the attackers tried to add a device to the organisation as a managed device via Microsoft Entra ID (formerly Azure Active Directory) to bypass conditional access policies restricting access to managed devices only.
Microsoft has successfully blocked the threat group from using the domains in other attacks and is actively working to address and mitigate the impact of the campaign.
