Russian APT phished government employees via Microsoft Teams

An APT group linked to Russia’s Foreign Intelligence Service has hit employees of several dozen global organizations with phishing attacks via Microsoft Teams, says Microsoft.

A social engineering attack to bypass MFA protection

“To facilitate their attack, the actor uses Microsoft 365 tenants owned by small businesses they have compromised in previous attacks to host and launch their social engineering attack. The actor renames the compromised tenant, adds a new onmicrosoft.com subdomain, then adds a new user associated with that domain from which to send the outbound message to the target tenant,” the company explained.

The actor-controlled subdomains and new tenant names incorporated either product or security related keywords (e.g., azuresecuritycenter or teamsprotection; “Microsoft Identity Protection”).

The actor would then send a Microsoft Teams message request to the target employees and, if they accepted, they would receive a Microsoft Teams message urging them to enter a code into the Microsoft Authenticator app on their mobile device.

Microsoft Teams chat request from the threat actor (Source: Microsoft)

If they followed the instructions, the threat actor would receive a token to authenticate to the user’s Microsoft 365 account.

“The actor then proceeds to conduct post-compromise activity, which typically involves information theft from the compromised Microsoft 365 tenant. In some cases, the actor attempts to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only.”

Microsoft says that the targets in this campaign were government and non-government organizations, and organizations in the IT services, technology, discrete manufacturing, and media sectors.

Midnight Blizzard (aka Nobelium, APT 29, or Cozy Bear) has been focused for many years on targets in the US and Europe and on collecting intelligence that can help advance the interests of the Russian Federation.

The company is still investigating how legitimate Azure tenants were compromised; the malicious subdomains have, of course, been taken down.

Closing attack avenues

That this kind of targeted attack is occasionally successful should not come as a surprise. The attackers are using clever social engineering techniques and lures and rely on many still inherently trusting identities in Teams and messages received via the platform.

They are also taking advantage of the fact that many organizations using Microsoft Teams have not changed Microsoft’s default configuration, which allows M365 users outside the organization to reach out to inside users (though the message will be flagged as coming from outside the company).

This easily exploitable feature has been recently emphasized by Jumpsec researchers, who discovered that it’s also easy to deliver malware directly into an MS Teams’ user inbox even though Teams’ default configuration does not allow it. A few weeks later, red teamer Alex Reid released a tool called TeamsPhisher that automates that aspect of the attack.

Until (and if) Microsoft decides to fix both of these issues or move to minimize their potential for social engineering attacks, organizations are advised to teach employees how to spot social engineering and credential phishing attacks and to never share their account information or authorize sign-in requests over chat.

Microsoft also urges organizations to start deploying phishing-resistant authentication methods for users, and either prevent external tenants from being able to contact employees via Teams or limit who can contact them (e.g., only users from trusted M365 organizations).