Microsoft Threat Intelligence revealed that an Advanced Persistent Threat (APT) group has been conducting targeted phishing attacks using Microsoft Teams as a vector. According to Help Net Security, the attackers executed meticulously planned social engineering attacks. They employed sophisticated credential theft, and phishing tactics to bypass the Multi-Factor Authentication (MFA) protection of numerous organisations. The report attributed these attacks to the Russian Midnight Blizzard threat actor, previously recognized as Nobelium.
These attacks have been carried out by exploiting Microsoft 365 tenants owned by small businesses that have been compromised beforehand. They then proceeded to rename the compromised tenant, adding a new onmicrosoft.com subdomain and creating a new user related to that domain. These newly established tenants and subdomains often included terms related to security or products, such as “teamsprotection,” “azuresecuritycenter” or “teamsprotection”.
The hackers initiated their campaign by sending Microsoft Teams message requests to their target staffers of a company. If the recipients accepted the request, they would subsequently receive another Teams message instructing them to input a code into Microsoft Authenticator on their phones. Targets following these instructions would allow attackers access tokens that enabled them to authenticate themselves within the target user’s Microsoft 365 account.
Once this initial breach was executed successfully, the attackers conducted post-compromise activities, generally involving data theft from the breached Microsoft 365 account. In some instances, the hackers also attempted to introduce a device into the company as a managed entity through Microsoft Entra ID. This was potentially a method to bypass access restrictions.
Microsoft is actively investigating the methods used by the attackers to compromise legitimate Azure tenants. The malicious subdomains employed by the threat actors have been dismantled.
Microsoft’s in-depth investigation has revealed that approximately 40 global organisations have fallen victim to this campaign.
According to the report, the targeted victims in this campaign spanned government, non-government organisations (NGOs), technology, IT services, media businesses, and discrete manufacturing businesses primarily based in the US and Europe.
This phishing campaign has been marked as highly sophisticated, with a level of intricacy that can easily escape the notice of individuals lacking specialised knowledge. The fact that the attackers employed a legitimate Microsoft domain as part of their strategy makes it harder for the users to identify the deceptive nature of the prompts, underscoring the cunning tactics used in the attack.
According to the report, proactive measures have been taken to counteract this threat, obstructing the attacker’s use of the compromised domains and actively mitigating the impact of the attack. Affected customers have been personally informed about the breach.
In light of this incident, Microsoft has urged organisations to train employees on the perils of social engineering and credential phishing attacks. Cybersecurity training programs provided by expert services like CultureAI can help employees enhance their security behaviour while bolstering their cybersecurity posture.
However, employee training is just one element of a comprehensive cybersecurity strategy. The tech giant has also recommended companies augment their cybersecurity posture by deploying phishing-resistant authentication methods. They advise reinforcing conditional access authentication strength for their mission-critical applications.

Sohela is an electrical engineer and a self-professed writer with a keen interest in all things tech. When she’s not writing killer content pieces, you’ll find her enjoying tempting foods in her favourite restaurants.