Microsoft researchers reported on Wednesday that a hacking gang with ties to the Russian government targeted dozens of international organizations with a campaign to acquire login credentials by tricking users into communicating with them in Microsoft Teams conversations under the guise of technical support.
Since late May, “fewer than 40 unique global organizations” have been impacted by these “highly targeted” social engineering attacks, according to Microsoft researchers, who also stated that the company was looking into the matter.
An inquiry for comment was not immediately answered by the Russian embassy in Washington.
According to the researchers, the hackers created identities and domains that appeared to be technical support departments in an effort to speak with Teams users and convince them to accept multifactor authentication (MFA) prompts.
Microsoft has prevented the actor from utilizing the domains and is still looking into this activity and trying to minimize the damage caused by the attack, they continued.
Microsoft’s exclusive business communication tool, Teams, has more than 280 million active users as of the company’s January financial report.
MFAs are a highly suggested security technique meant to stop credentials from being stolen or hacked. The Teams that are targeted imply that hackers are figuring out new ways to get around it.
According to the researchers, Russia’s foreign intelligence service is connected to the hacker gang responsible for this activities, known in the business as Midnight Blizzard or APT29, which is based there.
“The organizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors,” they added, without mentioning any of the targets.
The researchers stated that “this most recent attack, taken together with prior activity, further demonstrates Midnight Blizzard’s ongoing execution of their objectives using both new and conventional techniques.”
Since 2018, they said, Midnight Blizzard has been known to target several groups, mostly in the U.S. and Europe.
According to information on the Microsoft blog, the hackers created new domains with the term “microsoft” in them that appeared to be technical assistance firms using small businesses’ already compromised Microsoft 365 identities. According to the researchers, phishing messages were then distributed over Teams by accounts connected to these domains to lure people in.