A Russian government-linked hacking group aimed at dozens of global organizations with a campaign to steal login credentials by engaging users in Microsoft Teams chats pretending to be from technical support. These “highly targeted” social engineering attacks have affected “fewer than 40 unique global organizations” since late May, Microsoft researchers said in a blog, adding that the company was investigating. The hackers, whom Microsoft says it has identified as Midnight Blizzard (previously known as Nobeliam) and tracked as APT29, use previously compromised Microsoft 365 tenants owned by small businesses to create new domains and send tech support-themed lures to victims that trick them into approving multifactor authentication prompts.
“Microsoft has mitigated the actor from using the domains and is continuing to investigate the impact of this campaign,” the company said in a statement. It did not provide more details about the attack victims beyond describing them as “organizations operating in the government, IT services, technology, discrete manufacturing, and media sectors.” The company warned that the hackers could gain initial access by gaining control of a device through a vulnerability in its Azure Active Directory service. This allowed them to bypass conditional access policies configured to restrict access to specific resources to managed devices only.
The attack is a sign that hackers have found a way around the built-in security features of Teams, which has more than 280 million users worldwide, the company says. It also raises concerns about how much more work it might take to secure the business communication tool.
Microsoft has been criticized for not quickly addressing security flaws in its online products. In addition to the flaws that allowed hackers to view source code for Microsoft’s products, a worm in the wild takes advantage of a flaw in Teams that lets people bypass restrictions on incoming files by simply typing the word ‘accept’ into a chat.
Despite the recent setbacks, Microsoft is still pushing ahead with plans to boost cybersecurity protection for political campaigns and election agencies that use its software. The company will offer expanded protections for free to candidates and campaign offices at the federal, state, and local levels, along with think tanks and other political organizations that use its Office 365 tools.
The move comes as the company and many Silicon Valley companies increasingly acknowledge that Russian hackers are trying to influence the upcoming midterm elections. They are working to respond more aggressively than in 2016 when many woke up to the threat only after the fact. The effort will also include a push to make it easier for security staff to find and remove malware and to share information on threats across companies. That could prevent attackers from targeting multiple different targets in parallel. Those efforts are part of an industry-wide initiative to address the threat from Russia more broadly. Other companies, including Google and Facebook, have announced similar initiatives to fight disinformation campaigns ahead of November’s vote.
