A series of global and highly targeted social engineering attacks by the same threat actors behind the notorious SolarWinds 2020 supply chain compromise are now targeting Microsoft Teams account credentials.
The attacks use previously stolen Microsoft 365 instances to send Microsoft Teams chat messages masquerading as IT support staff communications. APT29 attempts to lure victims into approving multi-factor authentication (MFA) prompts so the adversaries can steal account credentials, according to Microsoft Threat Intelligence.
In a Wednesday advisory, Microsoft researchers said they believe fewer than 40 organizations globally have been affected by the highly targeted campaigns.
APT29, also known as Cozy Bear and UNC2452, and track by Microsoft as Midnight Blizzard (previously Nobelium), is believed to be the advanced persistent threat (APT) group behind the devastating SolarWinds supply-chain attacks.
“The organizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors,” Wednesday’s advisory said.
Tricking users into circumventing MFA
Using Microsoft 365 tenants belonging to small businesses that were compromised in previous attacks, APT29 renamed them, then added a legitimate “onmicrosoft.com” subdomain and a new user associated with the renamed domain.
Microsoft said the campaign was focused on attacking accounts where APT29 had obtained valid user credentials or where passwordless authentication was configured. In both cases, entering a valid code into the Microsoft Authenticator app on the user’s mobile device was required to gain access to the account.
Target accounts were sent messages via Teams, purporting to be from the help desk or security team, asking them to respond with the code displayed on the Authenticator app. To appear legitimate, the threat actor renamed the compromised tenants using security-themed and product name-themed domains. An example cited in the advisory was an account calling itself “Microsoft Identity Protection” that used the domain “@teamsprotection.onmicrosoft.com”.
If the targeted user supplied the requested MFA code, the threat actor was able to gain access to their account.
“The actor then proceeds to conduct post-compromise activity, which typically involves information theft from the compromised Microsoft 365 tenant,” the advisory said.
“In some cases, the actor attempts to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only.”
A feature or a bug?
Microsoft said it had now mitigated APT29 from using the compromised domains deployed in the phishing attacks, had notified targeted customers, and advised them how to secure their environments.
“As with any social engineering lures, we encourage organizations to reinforce security best practices to all users and reinforce that any authentication requests not initiated by the user should be treated as malicious,” the advisory said.
The advisory offered several recommendations to reduce the risk of the threat, including limiting which external domains organizations allow Teams chat messages from.
Last month a Python tool called TeamsPhisher was published on GitHub which allows an adversary to bypass Teams security controls and plant malware on targeted systems.
Both TeamsPhisher and the APT29 attack method are only effective when Teams is configured to allow users to communicate with external tenancies, although that is the default configuration.
Microsoft has previously suggested organizations using Teams who do not need to maintain regular communication with external tenants should change the default configuration to either disable all external access or limit it to only trusted external organizations.
