Microsoft has identified Midnight Blizzard, a Russian government-affiliated hacker group, as the driving force behind a series of recent phishing attacks via Teams. The state hackers allegedly targeted European and U.S. organizations in particular.
According to Microsoft, the Midnight Blizzard hackers, previously known as Nobelium, have a relationship with the Russian foreign spy service SVR. In their actions, the hackers use existing compromised data of Microsoft 365 users, especially small businesses, to set up new fake (Microsoft) domains or accounts. These fake domains and accounts pretend to provide technical support for Microsoft solutions.
Then, the hackers engage in conversations via Teams and try to get victims to accept MFA requests. This allows them to bypass these security measures and gain access to victims’ accounts and possibly the underlying business systems.
Microsoft investigates impact
Already, 40 unique global companies and organizations are believed to have been attacked in this way. In particular, these include government organizations, NGOs, specialty manufacturing companies and the media sector.
Microsoft is investigating the new method of attack and its impact. Compromised accounts and environments found have since been blocked.
The tech giant has published a list of possible attack indicators by Midnight Blizzard and how companies and organizations can take measures that will prevent or reduce the likelihood of an attack.