The Russia-linked APT29 group has been identified as the culprit behind a series of Microsoft Teams phishing attacks that targeted numerous global organizations and government agencies.
Microsoft Threat Intelligence revealed that APT29, also known as SVR group, Cozy Bear, Nobelium, Midnight Blizzard, and The Dukes, executed these sophisticated attacks, leveraging highly targeted social engineering methods. The group exploited compromised Microsoft 365 tenants belonging to small businesses to create deceptive domains resembling technical support entities, using Microsoft Teams messages to trick users into revealing their credentials through approval of multifactor authentication (MFA) prompts.
Notably, APT29’s involvement in the Microsoft Teams phishing campaign adds to its history of cyber espionage activities, including the infamous Democratic National Committee hack during the 2016 US Presidential Elections.
The attackers meticulously orchestrated the attack chain, beginning with a Microsoft Teams message request sent by an external actor posing as a technical support or security team member. Once accepted, the target user was prompted to enter a code into the Microsoft Authenticator app, enabling the attackers to gain authentication tokens and unauthorized access to victims’ Microsoft 365 accounts.
Microsoft reported that fewer than 40 unique global organizations fell victim to these attacks, spanning sectors such as government agencies, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media. The aftermath of the attacks typically involved data theft from compromised Microsoft 365 tenants.
Microsoft has since shared Indicators of Compromise (IoCs) and mitigation recommendations to address this threat. The revelation of this operation underscores the persistence of state-sponsored cyber threats and the imperative for comprehensive cybersecurity measures.
