Microsoft announced on Wednesday that it had discovered a series of meticulously crafted social engineering attacks by a nation-state threat group, employing the artifice of phishing through Microsoft Teams chats to steal credentials.

Microsoft identifies this threat group as Midnight Blizzard, previously recognized as Nobelium. The group has also been named APT29, BlueBravo, Cozy Bear, Iron Hemlock, and The Dukes.

In the current wave of activity, the threat group exploits compromised Microsoft 365 tenants that belong to small businesses to fabricate new domains, seemingly posing as technical support entities, Microsoft reported.

Midnight Blizzard uses these compromised tenants’ domains to disseminate Teams messages intended to dupe the targeted organization into providing their credentials through manipulative communication and elicitation of multi-factor authentication (MFA) approvals.

Microsoft has been tracking this campaign since late May 2023, with fewer than 40 organizations affected globally. The victims spread across government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.

The threat group has exhibited the use of token theft methods for initial access into the targeted environments. Other techniques such as authentication spear-phishing, password spray, and brute-force attacks were also observed.

Another known characteristic of the group is their exploitation of on-premises environments, migrating laterally to the cloud, and misusing service providers’ trust chain to infiltrate downstream customers. This tactic was noticed during the SolarWinds hack of 2020.

In the latest round of attacks attributed to Midnight Blizzard, a new onmicrosoft.com subdomain is added to a previously compromised tenant. The hackers then create a new user with that subdomain to commence a Teams chat request with potential targets, impersonating a technical support individual or Microsoft’s Identity Protection team.

Upon accepting the message request, the targeted user receives a Teams message from the attacker. This message seeks to persuade the user to input a code into the Microsoft Authenticator app on their mobile device.

If the targeted user complies with these instructions, the threat group secures a token to authenticate as the user. This allows for account takeover and subsequent post-compromise activities.

On occasions, the threat actor has attempted to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely to bypass conditional access policies set to limit access to specific resources.

Microsoft released these findings just days after the threat group was linked to phishing attacks aimed at diplomatic entities across Eastern Europe, intending to install a new backdoor dubbed GraphicalProton.

This announcement also follows the discovery of several new Azure AD (AAD) Connect attack vectors. These could permit malicious cyber actors to create a covert backdoor by extracting cryptographic hashes of passwords. They do this by injecting malicious code into a hash syncing process and seizing credentials through an adversary-in-the-middle (AitM) attack.

An example includes the extraction of NT hashes by attackers, ensuring they are alerted to every future password change in the domain. Threat actors can also acquire AAD Connector passwords through Active Directory Certificate Services and act as an adversary-in-the-middle, launching attacks against SSL-encrypted channels in the network by exploiting misconfigurations in certificate templates that allow server authentication, according to Sygnia.