Midnight Blizzard Unleashes Relentless Phishing Attacks Via Microsoft Teams
Former Nobelium Threat Actor Ramps Up Campaigns
Overt Operator
September 11, 2023
Microsoft Threat Intelligence has discovered a series of highly targeted social engineering attacks involving credential theft phishing lures sent as Microsoft Teams chats.
The threat actor behind these attacks, known as Midnight Blizzard (previously tracked as NOBELIUM), has been employing both new and common techniques to carry out their objectives. By using compromised Microsoft 365 tenants owned by small businesses, Midnight Blizzard creates new domains that appear to be legitimate technical support entities.
Midnight Blizzard uses compromised domains to send Teams messages to targeted organizations, attempting to steal credentials by engaging users and eliciting approval of multifactor authentication (MFA) prompts.
As with any social engineering schemes, organizations are advised to reinforce security best practices among their users and treat any authentication requests not initiated by the user as malicious.
According to Microsoft's investigation, this campaign has affected fewer than 40 unique global organizations. The nature of the targeted organizations suggests that Midnight Blizzard's espionage objectives are focused on government entities, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.
Microsoft has taken steps to mitigate the use of the compromised domains and continues to investigate the activity and remediate the impact of the attack. Affected customers have been notified and provided with important information to secure their environments.
Midnight Blizzard, also known as NOBELIUM, is a threat actor based in Russia and attributed to the Foreign Intelligence Service of the Russian Federation. They primarily target governments, diplomatic entities, NGOs, and IT service providers in the US and Europe. Their operations aim to collect intelligence through long-term espionage, and they have been active since 2018.
This is one threat actor that utilizes an arsenal of initial access methods. From stolen credentials, to supply chain attacks, exploitation of on-premises environments, and compromise of trusted service providers, Midnight Blizzard has reportedly developed a robust threat toolkit.
Midnight Blizzard's latest credential phishing attack follows their usual patterns, including token theft techniques for initial access, authentication spear-phishing, password spray, brute force attacks, and other credential-based methods. In the recent activity observed since May 2023, the actor has used security-themed domain names in their lures.
To carry out their attacks, Midnight Blizzard compromises small business-owned Microsoft 365 tenants, renames the compromised tenant, adds a new subdomain, and creates a new user associated with that domain. The actor uses security-themed or product name-themed keywords to create a subdomain and tenant name that lend legitimacy to their messages. Microsoft has taken action to prevent the actor from using these domains.
This social engineering attack chain involves the actor either obtaining valid credentials for targeted users or targeting users with passwordless authentication configured on their accounts. In both cases, the user is prompted to enter a code displayed during the authentication flow into the Microsoft Authenticator app.
As the investigation into Midnight Blizzard's activities continues, Microsoft emphasizes the importance of organizations reinforcing security practices among their users and being cautious of any suspicious or unexpected authentication requests. By staying informed and vigilant, organizations can better protect themselves against evolving cyber threats.