Microsoft made public a massive attack phishing to the detriment of Teams from Midnight Blizzarda well-known Russian hacker group.
The gang allegedly targeted a large group of app users, including small to medium-sized organizations and even government entities. The purpose of this offensive, it seems, is the theft of confidential information.
This type of operation is certainly not new: the hackers themselves, in fact, have already targeted the IT giant in the past. In the official blog post, Microsoft warned that it is fully aware of these attacks and is working to remedy them.
According to the company, hackers are using token theft techniques to gain access to some domain names containing the word “Microsoft” then posing as the official technical support.
Microsoft Teams under siege: the campaign carried out by the Midnight Blizzard group
The hackers involved trick the user into entering a security code from within the app Microsoft Authenticator. This way, cybercriminals gain access to your entire account Microsoft 365 of the victim.
Compromised profiles are then used to gain access and, in some cases, full control of the organization to which the account belongs.
Microsoft also reports that hackers also try to add new unauthorized devices to the corporate directory using Microsoft Entra ID. This gives the cybercriminal multi-point access to the enterprise, making it much harder to stop.
To counter this threat, the Redmond giant has recommended some security measures to users. Among them are:
- Blocking of external domains in Micorosft 365 organizations;
- Usage of Microsoft 354 Audit to assist in investigations (in the event of an attack already suffered);
- Train employees to identify trusted or untrusted external accounts;
- Activate the Microsoft Defender Conditional App Control for the cloud;
- Adoption of one-time access token.
As already mentioned, Russian hackers themselves have already targeted Microsoft, even though at the time (i.e. in 2018) the group was known as Nobility.