Russian hackers are targeting government organizations with phishing attacks that use Microsoft Teams as a lure.
The attacks involve sending emails that appear to be from legitimate Microsoft Teams users, but they actually contain malicious links. If the victim clicks on the link, they are taken to a fake Microsoft Teams login page that steals their credentials.
“Our current investigation indicates this campaign has affected fewer than 40 unique global organizations,” Microsoft revealed today.
“The organizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at the government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.”
The attackers created new domains using compromised Microsoft 365 tenants with a technical support theme. These new domains were part of the ‘onmicrosoft.com’ domain, a legitimate Microsoft domain that is automatically used by Microsoft 365 for fallback purposes in case a custom domain is not created.
They then employed these domains to send tech support lures to deceive users from targeted organizations into approving multifactor authentication (MFA) prompts.
According to Redmond’s advisory, the ultimate objective of the threat actors was to steal the targeted users’ credentials.
