A hacking division known as APT29, linked with Russia’s Foreign Intelligence Service (SVR), has launched phishing attacks aimed at Microsoft Teams, affecting various global organizations. These targeted attacks include not only government agencies but also several sectors like technology, manufacturing, and media.
Details of the Phishing Attacks
Microsoft’s internal investigation has revealed that fewer than 40 unique global organizations were impacted by this campaign. Named ‘Midnight Blizzard,’ the attack reveals a calculated approach towards achieving specific espionage objectives.
The Method
The cybercriminals compromised Microsoft 365 tenants, using them to create technical support-themed domains. They proceeded to send tech support lures, employing social engineering tactics in their attempts to manipulate users. The ultimate goal was to prompt users to grant approval for multifactor authentication (MFA), thus stealing their credentials.
Legitimate-Looking Domains
The domains created were part of the ‘onmicrosoft.com’ domain, an authentic Microsoft domain used for fallback purposes in Microsoft 365. This tactic potentially gave the fake support messages an appearance of trustworthiness.
According to Microsoft’s advisory, the hackers also tried to add devices to organizations as managed devices through Microsoft Entra ID, possibly to bypass certain conditional access policies.
Microsoft has reported blocking the Russian group from using these domains for further attacks and is actively working to contain the impact of the campaign.
Recent Security Issues with Microsoft Teams
TeamsPhisher Tool for Phishing Attacks
Last month, Microsoft chose not to address a security flaw in Microsoft Teams that can let individuals bypass restrictions for incoming files from external tenants using a Python tool named TeamsPhisher.
When the issue was reported by Jumpsec security researchers, Microsoft responded that the flaw did not warrant immediate servicing. However, they advised customers to be cautious with suspicious messages, emphasizing good computing habits online.
Impact on Government Agencies
APT29’s social engineering attack has also reached government agencies, demonstrating that even well-protected entities can be substantially affected by such cyber strategies.
APT29’s History
The SolarWinds Phishing Attacks
The APT29 hacking group, associated with Russia’s Foreign Intelligence Service, orchestrated the SolarWinds supply-chain attack that breached several U.S. federal agencies three years ago.
Stealthy Malware
Since the SolarWinds incident, APT29 has continued to infiltrate organizations’ networks through stealthy malware such as TrailBlazer and a GoldMax Linux backdoor variant. This enabled them to go unnoticed for extended periods.
New Malware and Phishing Attacks Campaigns
More recently, Microsoft disclosed that APT29 is using new malware capable of seizing control of Active Directory Federation Services (ADFS) to log in as any user in Windows systems.
In addition, they have targeted Microsoft 365 accounts in NATO countries and launched a series of phishing campaigns aimed at governments, embassies, and high-ranking officials throughout Europe.
Conclusion
APT29’s latest phishing attacks using Microsoft Teams reflect a concerning pattern of persistent and evolving cyber threats. The incident underscores the importance of vigilance, adherence to best practices in cybersecurity, and continuous monitoring of potential vulnerabilities. Organizations must remain agile in responding to these evolving threats to ensure the protection and integrity of their systems and data.
