Midnight Blizzard employs targeted social engineering techniques via Microsoft Teams
Midnight Blizzard employs targeted social engineering techniques via Microsoft Teams
Microsoft Threat Intelligence has detected sophisticated, highly targeted social engineering attacks conducted by the threat actor known as Midnight Blizzard (formerly tracked as NOBELIUM). These attacks involve credential theft phishing lures distributed via Microsoft Teams chats. Midnight Blizzard's latest activity, combined with their previous tactics, underscores their persistent pursuit of objectives through a mix of novel and established methods. In this recent incident, the threat actor utilizes Microsoft 365 tenants compromised from small businesses to establish new domains that masquerade as technical support entities.
Our ongoing investigation suggests that this campaign has impacted less than 40 distinct global organizations. The selection of these targeted organizations points towards specific espionage goals pursued by Midnight Blizzard, focusing on government entities, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.
The most recent credential phishing attack by Midnight Blizzard
Midnight Blizzard frequently employs token theft techniques as part of their initial access strategy in targeted environments. They also use authentication spear-phishing, password spray, brute force, and other credential attacks. The observed attack pattern, which has been ongoing since late May 2023, is identified as a subset of the broader credential attack campaigns attributed.
领英推荐
Incorporating security-themed domain names in lures
The actor leverages previously compromised Microsoft 365 tenants owned by small businesses to orchestrate their social engineering attack. They rename the compromised tenant, establish a new onmicrosoft.com subdomain, and create a fresh user linked to that domain to send the outbound message to the target tenant. To enhance credibility, the actor employs security-themed or product name-themed keywords in crafting the new subdomain and tenant name.
Social engineering attack chain
In this instance, Midnight Blizzard either possesses valid account credentials of the targeted users or is focusing on users with passwordless authentication configured. The latter method requires users to enter a code displayed on the Microsoft Authenticator app on their mobile devices during the authentication process.
For Further Reference