Connect with us

Hi, what are you looking for?


Cloud Security

Microsoft Catches Russian Government Hackers Phishing with Teams Chat App

Microsoft says a Russian government-linked hacking group is using its Microsoft Teams chat app to phish for credentials at targeted organizations.

Quantum Computing

Software giant Microsoft on Wednesday sounded an alarm after catching a known Russian government-linked hacking group using its Microsoft Teams chat app to phish for credentials at targeted organizations.

According to a research report from Redmond’s Threat Intelligence team, the hacking team is linked to the Foreign Intelligence Service of the Russian Federation (also known as the SVR) and has been caught targeting government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.

Microsoft has flagged the actor as ‘Midnight Blizzard’ (formerly Nobelium) and warns that the group is using already hacked Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities. 

Using these domains from compromised tenants, the researchers found the hackers using Microsoft Teams messages to send lures that attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multifactor authentication (MFA) prompts. 

The company said it has traced the targeting to “fewer than 40 unique global organizations,” suggesting a highly surgical cyberespionage operation against targets in the U.S. and Europe.

Microsoft’s researchers provided technical documentation of the newest credential phishing attack that includes the use security-themed domain names in lures.

From the report:

Advertisement. Scroll to continue reading.

“To facilitate their attack, the actor uses Microsoft 365 tenants owned by small businesses they have compromised in previous attacks to host and launch their social engineering attack. The actor renames the compromised tenant, adds a new subdomain, then adds a new user associated with that domain from which to send the outbound message to the target tenant.

The actor uses security-themed or product name-themed keywords to create a new subdomain and new tenant name to lend legitimacy to the messages. These precursory attacks to compromise legitimate Azure tenants and the use of homoglyph domain names in social engineering lures are part of our ongoing investigation. Microsoft has mitigated the actor from using the domains.

Microsoft said the hacking team appears to have obtained valid account credentials for the users they are targeting, or they are targeting users with passwordless authentication configured on their account – both of which require the user to enter a code that is displayed during the authentication flow into the prompt on the Microsoft Authenticator app on their mobile device.

“After attempting to authenticate to an account where this form of MFA is required, the actor is presented with a code that the user would need to enter in their authenticator app. The user receives the prompt for code entry on their device. The actor then sends a message to the targeted user over Microsoft Teams eliciting the user to enter the code into the prompt on their device,” the researchers explained.

If the targeted user accepts the message request and enters the code into the Microsoft Authenticator app, the APT group gets a token to authenticate as the targeted user. 

“The actor gains access to the user’s Microsoft 365 account, having completed the authentication flow.”

Once the hack is complete, Microsoft said it observed post-compromise activity that includes information theft from the compromised Microsoft 365 tenant. In some cases, the actor attempts to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only.

Related: Microsoft Cloud Hack Exposed More Than Exchange, Outlook Emails

Related: Microsoft Bows to Pressure to Free Up Cloud Security Logs

Related: Microsoft Outs New Russian APT Linked to Wiper Attacks in Ukraine

Related: Microsoft Will Name Threat Actors After Weather Events

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.