PSA – Midnight Blizzard conducts targeted social engineering over Microsoft Teams

Friday, August 4th, 2023


DefenseStorm cyber security monitoring.

Internal communication applications, IE: Slack, MS Teams, etc.  Criminals are establishing domains that appear to be from legitimate technical support entities and then attempting to reach out to individuals to gain access to target users’ devices.  The below article was authored by Microsoft Threat Intelligence and taken from Microsoft directly and provides additional detail and threat actor attribution for these types of attacks.

When we hear the word phishing, for most of us in the cybersecurity world, our mind immediately jumps to email and email compromise.  While most phishing attempts are still relegated to that vector, there is an uptick in another avenue for phishing.  Internal communication applications, IE: Slack, MS Teams, etc.  Criminals are establishing domains that appear to be from legitimate technical support entities and then attempting to reach out to individuals to gain access to target users’ devices.  The below article was authored by Microsoft Threat Intelligence and taken from Microsoft directly and provides additional detail and threat actor attribution for these types of attacks.  The article was taken from:https://www[.]Microsoft[.]com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/.

Microsoft Threat Intelligence has identified highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard (previously tracked as NOBELIUM). This latest attack, combined with past activity, further demonstrates Midnight Blizzard’s ongoing execution of their objectives using both new and common techniques. In this latest activity, the threat actor uses previously compromised Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities. Using these domains from compromised tenants, Midnight Blizzard leverages Teams messages to send lures that attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multifactor authentication (MFA) prompts. As with any social engineering lures, we encourage organizations to reinforce security best practices to all users and reinforce that any authentication requests not initiated by the user should be treated as malicious.

Our current investigation indicates this campaign has affected fewer than 40 unique global organizations. The organizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors. Microsoft has mitigated the actor from using the domains and continues to investigate this activity and work to remediate the impact of the attack. As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.

Midnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR. This threat actor is known to primarily target governments, diplomatic entities, non-government organizations (NGOs), and IT service providers primarily in the US and Europe. Their focus is to collect intelligence through longstanding and dedicated espionage of foreign interests that can be traced to early 2018. Their operations often involve compromise of valid accounts and, in some highly targeted cases, advanced techniques to compromise authentication mechanisms within an organization to expand access and evade detection.

Midnight Blizzard is consistent and persistent in their operational targeting, and their objectives rarely change. They utilize diverse initial access methods ranging from stolen credentials to supply chain attacks, exploitation of on-premises environments to laterally move to the cloud, exploitation of service providers’ trust chain to gain access to downstream customers, as well as the Active Directory Federation Service (AD FS) malware known as FOGGYWEB and MAGICWEB. Midnight Blizzard (NOBELIUM) is tracked by partner security vendors as APT29, UNC2452, and Cozy Bear.

Midnight Blizzard’s latest credential phishing attack

Midnight Blizzard regularly utilizes token theft techniques for initial access into targeted environments, in addition to authentication spear-phishing, password spray, brute force, and other credential attacks. The attack pattern observed in malicious activity since at least late May 2023 has been identified as a subset of broader credential attack campaigns that we attribute to Midnight Blizzard.

Use of security-themed domain names in lures

To facilitate their attack, the actor uses Microsoft 365 tenants owned by small businesses they have compromised in previous attacks to host and launch their social engineering attack. The actor renames the compromised tenant, adds a new subdomain, then adds a new user associated with that domain from which to send the outbound message to the target tenant. The actor uses security-themed or product name-themed keywords to create a new subdomain and new tenant name to lend legitimacy to the messages. These precursory attacks to compromise legitimate Azure tenants and the use of homoglyph domain names in social engineering lures are part of our ongoing investigation. Microsoft has mitigated the actor from using the domains.

Social engineering attack chain

In this activity, Midnight Blizzard either has obtained valid account credentials for the users they are targeting or they are targeting users with passwordless authentication configured on their account – both of which require the user to enter a code that is displayed during the authentication flow into the prompt on the Microsoft Authenticator app on their mobile device.

After attempting to authenticate to an account where this form of MFA is required, the actor is presented with a code that the user would need to enter in their authenticator app. The user receives the prompt for code entry on their device. The actor then sends a message to the targeted user over Microsoft Teams, eliciting the user to enter the code into the prompt on their device.

Step 1: Teams request to chat

The target user may receive a Microsoft Teams message request from an external user masquerading as a technical support or security team.

Figure 1: Screenshot of a Microsoft Teams message request from a Midnight Blizzard-controlled account

 Step 2: Request authentication app action

If the target user accepts the message request, the user then receives a Microsoft Teams message from the attacker attempting to convince them to enter a code into the Microsoft Authenticator app on their mobile device.

Figure 2: A Microsoft Teams prompt with a code and instructions.

Step 3: Successful MFA authentication

If the targeted user accepts the message request and enters the code into the Microsoft Authenticator app, the threat actor is granted a token to authenticate as the targeted user. The actor gains access to the user’s Microsoft 365 account, having completed the authentication flow.

The actor then proceeds to conduct post-compromise activity, which typically involves information theft from the compromised Microsoft 365 tenant. In some cases, the actor attempts to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only.


Microsoft recommends the following mitigations to reduce the risk of this threat.

  • Pilot and start deploying phishing-resistant authentication methods for users.
  • Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
  • Specify trusted Microsoft 365 organizations to define which external domains are allowed or blocked to chat and meet.
  • Keep Microsoft 365 auditing enabled so that audit records could be investigated if required.
  • Understand and select the best access settings for external collaboration for your organization.
  • Allow only known devices that adhere to Microsoft’s recommended security baselines.
  • Educate users about social engineering and credential phishing attacks, including refraining from entering MFA codes sent via any form of unsolicited messages.
  • Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and , and never share their account information or authorize sign-in requests over chat.
  • Educate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.
  • Implement Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices.



James Bruhl

James Bruhl

Director of Cyber Threat Intelligence

James Bruhl is the Director of Cyber Threat Intelligence for DefenseStorm. He joined the company with 15 years of experience as a law enforcement officer, bringing extensive experience in crime prevention, evidence collection, investigative techniques, and crisis management. Driven by a passion for technological advancements and the ever-evolving landscape of digital threats, he transitioned to the field of digital forensics, incident response, and cybersecurity. In his role, he honed his skills in analyzing digital evidence, identifying cyber threats, and implementing robust security measures specializing in forensic examinations on various devices to uncover critical information and support investigations. James began at DefenseStorm as a security engineer in 2020 and developed DefenseStorm’s EDR Service. He was then appointed as Director of Cyber Threat Intelligence in 2022 and is responsible for nearly all facets of the EDR service. During his cyber career, James has been instrumental in proactively detecting and responding to cyber incidents and plays a vital role in incident response teams, coordination efforts to mitigate the impact of breaches, vulnerability identification, and strategy implementation to prevent future attacks. He continues to share his expertise by conducting training sessions, participating in conferences, and writing articles on topics related to digital forensics, incident response, and cybersecurity. James holds a bachelor’s in criminal justice from the University of North Georgia and a GCFE certification.