Russian Hackers were behind the Microsoft teams phishing attacks

It’s no secret over the past few months, Microsoft has had a tough time with security breaches. Now, in another concerning development, the company has recently discovered a series of highly sophisticated phishing attacks orchestrated by a Russian government-linked hacking group named Midnight Blizzard, which targeted organizations and governments by posing as technical support staff on Microsoft Teams.

How did the hack work?

Instead of using regular hacking attempts, the hackers utilized clever social engineering techniques and leveraged already-compromised Microsoft 365 accounts owned by small businesses to create deceptive domains that appeared to be legitimate technical support entities. Once these fake accounts were up and running, the hackers then sent Teams messages containing phishing lures, aiming to steal credentials from targeted organizations and ultimately trick them into approving multifactor authentication (MFA) prompts. The MFA authentication allowed the hackers to perform an account takeover.

Additionally, in an effort to bypass conditional access policies, the hackers occasionally tried to add a device to the organization as a managed device through Microsoft Entra ID (formerly known as Azure Active Directory).

Furthermore, Microsoft says that they have been monitoring these attacks since late May 2023, and they have affected around 40 organizations globally, spanning various sectors, including government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media.

Microsoft’s response

In response to the phishing attacks, Microsoft has taken immediate steps and blocked the use of malicious domains in Teams. Additionally, the company is also actively investigating the matter and working towards securing affected organizations. However, until then the investigation is complete, the company has advised users and organizations to exercise caution when engaging with unfamiliar support accounts.

“As with any social engineering lures, we encourage organizations to reinforce security best practices to all users and reinforce that any authentication requests not initiated by the user should be treated as malicious,” reads Microsoft’s blog post.