Microsoft's Threat Intelligence team detected a series of highly targeted credential theft phishing attacks that sent lures sent as Microsoft Teams chats.
According to a new report by the Redmond-based tech giant, researchers have attributed the attacks to APT29, also known as Cozy Bear and DarkHalo, who Microsoft tracks as Midnight Blizzard (previously NOBELIUM).
Summarizing the attack, researchers noted,
...the threat actor uses previously compromised Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities. Using these domains from compromised tenants, Midnight Blizzard leverages Teams messages to send lures that attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multifactor authentication (MFA) prompts.
Microsoft also noted that fewer than 40 organizations were impacted by the attack campaign, further illustrating the highly targeted nature of the campaign.
Organizations ranged from government departments to non-government organizations (NGOs), as well as IT services, technology, discrete manufacturing, and media sectors. The targeted sectors suggest that the campaign's primary goals are related to cyber espionage.
Microsoft stated it had mitigated the actor from using the compromised domains and continues investigating this activity and working to remediate the attack's impact. Further, Microsoft notified targeted or compromised customers and provided remediation assistance.
APT29 is perhaps best known recently for being the threat group behind the SolarWinds supply chain attack that made international headlines.
The US and UK governments have provided evidence to link APT29 to the Foreign Intelligence Service of the Russian Federation, also known as the SVR.
Primarily the group focuses on targeting governments and associated departments, diplomatic entities, non-government organizations (NGOs), and IT service providers, primarily in the US and Europe.
Operations are centered around data collection and exfiltration, with cyber espionage being the driving factor in their creation. The group's tactics center around the compromise of valid accounts.
This is followed by using advanced techniques to compromise authentication mechanisms within an organization to expand access and evade detection for as long as it is deemed fit.
Based on Microsoft's findings, this campaign centered around a spear phishing campaign to gain credentials that would allow the threat actors privileged access to IT infrastructure.
Since May 2023, APT29 has used a combination of token theft techniques for initial access into targeted environments and several other tactics, including authentication spear-phishing, password spray, and brute force attacks where collections of weak username and password combinations are injected into login portals in the hope that an admin has used such a combination.
This campaign uses similar tactics, helping Microsoft's Threat Intelligence team attribute the campaign to APT29.
In this campaign, APT29 used a combination of security-themed lures and previously compromised domains to carry out credential phishing attacks on victims. Microsoft noted,
To facilitate their attack, the actor uses Microsoft 365 tenants owned by small businesses they have compromised in previous attacks to host and launch their social engineering attack. The actor renames the compromised tenant, adds a new onmicrosoft.com subdomain, then adds a new user associated with that domain from which to send the outbound message to the target tenant. The actor uses security-themed or product name-themed keywords to create a new subdomain and new tenant name to lend legitimacy to the messages. These precursory attacks to compromise legitimate Azure tenants and the use of homoglyph domain names in social engineering lures are part of our ongoing investigation.
In cases where the victim employed Multifactor Authentication (MFA), the threat actor will target the specific user via Microsoft Teams and use a variety of social engineering tactics to get them to provide the threat actor with the MFA code.
To successfully achieve this, the threat actor begins by sending the target a Microsoft Teams message request masquerading as a technical support or security team member.
If the request is accepted, the user receives a Microsoft Teams message from the attacker attempting to convince them to enter a code into the Microsoft Authenticator app on their mobile device. The real work begins if the threat actor is given the token.
Microsoft notes that the operations then turn to post-compromise activity, typically involving information theft from the compromised Microsoft 365 tenant. In some cases, the threat actor attempts to add a device to the organization as a managed device via Microsoft Entra ID.
This is believed to be an attempt to circumvent conditional access policies that restrict access to specific resources to managed devices only as an additional security measure.
To reduce the risk posed by APT29 or other advanced persistent threat groups with similar tactics, Microsofts recommends the following measures be adopted when using Microsoft Teams and 365:
- Pilot and start deploying phishing-resistant authentication methods for users.
- Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
- Specify trusted Microsoft 365 organizations to define which external domains are allowed or blocked to chat and meet.
- Keep Microsoft 365 auditing enabled to investigate audit records if required.
- Understand and select the best access settings for external collaboration for your organization.
- Allow only known devices that adhere to Microsoft's recommended security baselines.
- Educate users about social engineering and credential phishing attacks, including refraining from entering MFA codes sent via any form of unsolicited message.
- Educate Microsoft Teams users to verify 'External' tagging on communication attempts from external entities, be cautious about what they share, and never share their account information or authorize sign-in requests over chat.
- Educate users to review sign-in activity and mark suspicious attempts as "This wasn't me".
- Implement Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices.