Microsoft Threat intelligence identifies Midnight Blizzard (previously tracked as NOBELIUM) as a highly targeted social engineering attack.
The attacker uses compromised Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities.
Using new domains from compromised tenants, Midnight Blizzard leverages Microsoft Teams messages to steal credentials.
It targets organizations, engaging users and eliciting approval of multifactor authentication (MFA) prompts.
This campaign has affected fewer than 40 unique global organizations, said Microsoft.
The targeted organizations likely indicate espionage objectives by Midnight Blizzard.
Microsoft has identified customers who have been targeted and compromised. They have provided instructions to these customers on how to secure their environments.
A group known as Midnight Blizzard (NOBELIUM), originating from Russia, poses a threat to various entities such as governments, diplomatic organizations, non-government organizations (NGOs), and IT service providers located in the US and Europe.
Phishing Attack Targeting Teams user
Midnight Blizzard utilizes credential theft techniques to get into targeted environments.
Since at least late May 2023, the attack pattern has been identified as a subset of credential attacks.
For Example, authentication spear-phishing, password spray, brute force, etc
The actor uses previously compromised Microsoft 365 tenants owned by small businesses to host and launch their social engineering attack.
The attacker renames the tenant, adds security-themed or product name-themed keywords to create a new subdomain, then adds a new user associated with the domain to send outgoing messages to the targeted tenant.
Midnight Blizzard targets the user with valid account credentials or users with passwordless authentication configured.
In both scenarios, the user has to enter a code during authentication on the Microsoft Authenticator mobile app.
Attackers impersonate Microsoft Support
The targeted user may receive a Microsoft Teams request from an external user pretending to be a technical support or security team.
When the user accepts the message request, he/she receives a Microsoft Teams message from the attacker to enter a code into the Microsoft Authenticator mobile app.
If the user performs the steps, then the attacker gains access to the user’s Microsoft 365 account and proceeds to conduct post-compromise activity, which involves information theft from the compromised Microsoft 365 tenant.
In some cases, the attacker adds a device to the organization via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only.
Microsoft recommends several mitigations to reduce the risk of this threat
As with any social engineering lures, Microsoft encourages organizations to reinforce security best practices to all users and reinforce that.
Any authentication requests not initiated by the user should be treated as malicious.