Russia-Linked Hackers Are Using Teams for Phishing Attacks, Microsoft Says

A Russian government-linked hacking group took goal at dozens of world organizations with a marketing campaign to steal login credentials by partaking customers in Microsoft Teams chats pretending to be from technical assist, Microsoft researchers mentioned on Wednesday.

These “highly targeted” social engineering assaults have affected “fewer than 40 unique global organizations” since late May, Microsoft researchers mentioned in a weblog, including that the corporate was investigating.

The Russian embassy in Washington did not instantly reply to a request for remark.

The hackers arrange domains and accounts that appeared like technical assist and tried to interact Teams customers in chats and get them to approve multifactor authentication (MFA) prompts, the researchers mentioned.

“Microsoft has mitigated the actor from using the domains and continues to investigate this activity and work to remediate the impact of the attack,” they added.

Teams is Microsoft’s proprietary enterprise communication platform, with greater than 280 million energetic customers, in response to the corporate’s January monetary assertion.

MFAs are a broadly really useful safety measure aimed toward stopping hacking or stealing of credentials. The Teams focusing on suggests hackers are discovering new methods to get previous it.

The hacking group behind this exercise, identified within the trade as Midnight Blizzard or APT29, relies in Russia, and the UK and US governments have linked it to the nation’s overseas intelligence service, the researchers mentioned.

“The organizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at the government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors,” they mentioned, with out naming any of the targets.

“This latest attack, combined with past activity, further demonstrates Midnight Blizzard’s ongoing execution of their objectives using both new and common techniques,” the researchers wrote.

Midnight Blizzard has been identified to focus on such organizations, primarily within the US and Europe, going again to 2018, they added.

The hackers used already-compromised Microsoft 365 accounts owned by small companies to make new domains that gave the impression to be technical assist entities and had the phrase “Microsoft” in them, in response to particulars within the Microsoft weblog. Accounts tied to those domains then despatched phishing messages to bait folks through Teams, the researchers mentioned. 

© Thomson Reuters 2023