Microsoft has reported that Midnight Blizzard, a Russian Hacking Group has been conducting phishing attacks over Microsoft Teams. These hackers are targeting a large set of Teams users including small-scale organizations and even government entities for stealing confidential information. Midnight Blizzard has actively targeted Microsoft in the past as well.
Mircosoft published a blog where they warned people to be aware of these phishing attacks. Hackers are using token theft techniques to gain access to some domain names containing the word “Microsoft” and then posing as official technical support or Identity Protection Staff on Teams.
If the user accepts the Teams invitation, then the hacker lures the user into entering a security code from the Microsoft Authenticator App. This way, the hacker gets access to the entire Microsoft 365 account of the user.
Such compromised Microsoft Accounts are then used to gain access and in some cases full control of the organization to which the Microsoft account belongs. Hackers are able to bypass restrictions to protected files, as they already gained access to a company account.
Microsoft also reports that hackers also try to add new unauthorized devices to the company directory using Microsoft Entra ID. This gives the hacker multi-point access to the company, which then becomes difficult to stop.
As per Microsoft, this current phishing attack has been active since May 2023 and has affected multiple companies using Microsoft 365 Organizations.
Microsoft has recommended some safety measures to prevent such kinds of phishing attacks. These include:
- Deploying phishing-resistant authentication methods.
- Blocking external domains on Micorosft 365 organizations.
- Using Microsoft 354 Audit for helping in investigation, if an attack is carried out.
- Educating employees to identify trusted external accounts.
- Implementing Conditional App Control in Microsoft Defender for Cloud, so that unauthorized users cannot add new devices to the system.
- Using single-use access tokens for temporary systems that are valid for a limited time.
This is not the first where Midnight Blizzard (Previously identified as NOBELIUM) has targeted Microsoft systems. Attacks from this hacking group over Microsoft date back to as early as 2018.
Their most recent attack called MagicWeb was a malware that specifically attacked server-based systems. However, the technique of the attack was similar to the current one, where the malware would deploy DLL files that used to behave as officially signed files by Microsoft. Once these files were placed in the system, hackers would get unrestricted access to the server, without leaving any warning to the user.
The Midnight Blizzard hacking group is known for creating such stealth attacks. While Microsoft does manage to provide fixes to the loopholes exploited by hackers, it is often very late by the time the patch actually arrives.
