Microsoft on Wednesday disclosed that it identified a set of highly targeted social engineering attacks mounted by a Russian nation-state threat actor using credential theft phishing lures sent as Microsoft Teams chats.
The tech giant attributed the attacks to a group it tracks as Midnight Blizzard (previously Nobelium). It’s also called APT29, BlueBravo, Cozy Bear, Iron Hemlock, and The Dukes.
“In this latest activity, the threat actor uses previously compromised Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities,” the company said.
“Using these domains from compromised tenants, Midnight Blizzard leverages Teams messages to send lures that attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multi-factor authentication (MFA) prompts.”
Microsoft said the campaign, observed since at least late May 2023, affected less than 40 organizations globally spanning government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.