APT29: Actively Running Phishing Attacks Centered on Microsoft Teams

Category: Threat Actor Activity | Industries: Government, Manufacturing, Media, Non-Governmental Organizations (NGOs), Technology | Source: Microsoft

Microsoft has identified the Russian threat group APT29, also known as Midnight Blizzard, NOBELIUM, Cozy Bear, or UNC2452, targeting organizations through phishing attacks on Microsoft Teams in an attempt to obtain user credentials. This campaign is tracked as part of a larger and broader APT29 campaign and has been active since the end of May 2023. To deceive targets, the threat actors abuse previously compromised Microsoft 365 tenants to engage with their targets under the guise of technical support personnel. "The actor renames the compromised tenant, adds a new onmicrosoft[.]com subdomain, then adds a new user associated with that domain from which to send the outbound message to the target tenant," Microsoft explains.

Their messages leverage Microsoft Teams "to send lures that attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multifactor authentication (MFA) prompts." Microsoft assesses this campaign "has affected fewer than 40 unique global organizations," specifically aiding Russia's espionage objectives. Verticals targeted in the campaign include government, manufacturing, media, non-government organizations (NGOs), and technology organizations.