Midnight Blizzard: An Advanced Persistent Cyber Threat Leveraging Microsoft Teams for Social Engineering Attacks

In a recent report from Microsoft Threat Intelligence on August 2, 2023, the targeted social engineering activities of the hacking group, Midnight Blizzard (previously identified as NOBELIUM) has been laid bare. This hacker group is well-known for their strategic and sophisticated cyber-attacks, particularly using Microsoft Teams, a tool commonly used for remote work and collaboration.

The Modus Operandi

Midnight Blizzard cleverly initiates its attack by leveraging previously compromised Microsoft 365 tenants, primarily small businesses. They repurpose these compromised accounts to create domains that mimic technical support entities. The hackers then use these domains to send phishing lures via Microsoft Teams chats, specifically designed to steal credentials. This sophisticated social engineering strategy goes one step further by persuading targeted users to approve multifactor authentication (MFA) prompts, which provides the hackers with critical access to secured information.

Microsoft’s ongoing investigations reveal that fewer than 40 unique global organizations have been affected. The selection of targets suggests a specific objective of espionage by Midnight Blizzard, as their activities predominantly involve government bodies, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.

Background on Midnight Blizzard

Midnight Blizzard, traced back to Russia, is an active threat actor associated with the Foreign Intelligence Service of the Russian Federation, also known as the SVR. They’ve been operating since 2018 and primarily target governments, diplomatic entities, NGOs, and IT service providers in the U.S. and Europe.

The group employs an array of techniques to gain unauthorized access, including stolen credentials, supply chain attacks, exploiting on-premises environments to access cloud services, and compromising service providers’ trust chains to access downstream customers. Advanced techniques such as compromising authentication mechanisms and the use of the Active Directory Federation Service (AD FS) malware known as FOGGYWEB and MAGICWEB are also in their arsenal.

Anatomy of the Attack

The latest phishing attack by Midnight Blizzard, identified since late May 2023, follows a specific pattern that involves token theft techniques for initial access into targeted environments.

In their most recent attack, they have acquired valid account credentials or targeted users with passwordless authentication configured on their accounts. The targeted user receives a Microsoft Teams chat request from a user posing as a technical support or security team member. The hacker then prompts the user to enter a code into their Microsoft Authenticator app, which then allows the hacker to authenticate as the user and gain access to their Microsoft 365 account.

Preventive Measures and Recommendations

Microsoft suggests several mitigations to decrease the threat from such attacks:

1. Implement phishing-resistant authentication methods.
2. Require phishing-resistant authentication for critical apps through Conditional Access authentication strength.
3. Define which external domains are allowed or blocked for chatting and meeting via Microsoft 365 organizations.
4. Keep Microsoft 365 auditing enabled for potential future investigations.
5. Understand and select the best access settings for external collaboration.
6. Only allow known devices that adhere to Microsoft’s recommended security baselines.
7. Educate users about social engineering and credential phishing attacks, including the importance of not entering MFA codes received unsolicited.
8. Inform Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities and to never share their account information or authorize sign-in requests over chat.
9. Encourage users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.
10. Implement Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices.

Microsoft Threat Intelligence will continue to investigate this activity and take appropriate actions to mitigate the impact of these attacks. In the meantime, awareness, preparedness, and user education remain vital tools in combating the relentless and sophisticated threat of Midnight Blizzard.