Rewterz Threat Alert – Russian Threat Actors Launch Phishing Attacks on Government Orgs via Microsoft Teams – Active IOCs

Severity

High

Analysis Summary

Researchers reported that the hacking group APT29, linked to Russia’s Foreign Intelligence Service (SVR), launched phishing attacks on over 40 organizations worldwide, including government agencies. The group used compromised Microsoft 365 tenants to create technical support-themed domains and sent lures to trick users into approving multifactor authentication prompts, aiming to steal their credentials.

“Using these domains from compromised tenants, Midnight Blizzard leverages Teams messages to send lures that attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multifactor authentication (MFA) prompts.”

The attackers utilized onmicrosoft.com domains, a legitimate Microsoft domain, to make the fake Microsoft support messages appear trustworthy. The objective was to steal targeted users’ credentials and add unauthorized devices to organizations to bypass access restrictions. Microsoft successfully blocked the threat group from using the domains in further attacks and is actively mitigating the campaign’s impact.

“If the target user accepts the message request, the user then receives a Microsoft Teams message from the attacker attempting to convince them to enter a code into the Microsoft Authenticator app on their mobile device”, they added

In certain instances, the actor endeavors to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), possibly aiming to bypass conditional access policies set to restrict access to designated resources for managed devices exclusively.

In another incident, Microsoft was criticized for not addressing a security issue in Microsoft Teams that allowed bypassing restrictions for incoming files from external tenants using a tool named TeamsPhisher. APT29, known for orchestrating the SolarWinds supply-chain attack, has targeted various organizations with stealthy malware, including TrailBlazer and a variant of the GoldMax Linux backdoor.

Recently, Microsoft disclosed that the group is using new malware to control Active Directory Federation Services (ADFS) and infiltrate Windows systems as any user. APT29 has also targeted NATO countries’ Microsoft 365 accounts to gain access to foreign policy-related information. This hacking group has been behind phishing campaigns aimed at governments, embassies, and high-ranking officials in Europe. The impact of their social engineering attacks on government agencies highlights the severity of such threats even on well-protected entities.

Impact

• Credential Theft
• Information Theft and Espionage
• Exposure of Sensitive Data

Indicators of Compromise

Domain Name

• identityverification.onmicrosoft.com
• accountsverification.onmicrosoft.com
• azuresecuritycenter.onmicrosoft.com
• teamsprotection.onmicrosoft.com

Remediation

• Block all threat indicators at your respective controls. Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Conduct regular security awareness training for employees to educate them about the dangers of phishing attacks, social engineering, and how to identify suspicious messages or lures.
• Enforce the use of MFA for all user accounts to add an extra layer of protection against unauthorized access.
• Implement robust conditional access policies that restrict access to specific resources based on the user’s location, device, and other factors. 
• Deploy advanced email and web gateway security solutions that can detect and block phishing emails and malicious websites.
• Monitor domain registrations and enforce security policies to prevent the use of unauthorized domains associated with the organization’s brand.
• Establish a well-defined incident response plan and conduct threat hunting exercises to detect and respond to potential threats proactively.
• Ensure all software and systems, including Microsoft Teams, are up to date with the latest security patches to mitigate known vulnerabilities.
• Deploy robust security monitoring and detection tools to identify suspicious activities and potential threats in real-time.
• Conduct periodic security assessments, penetration testing, and vulnerability scanning to identify and address potential weaknesses in the organization’s infrastructure and systems.
• Implement phishing-resistant authentication methods for users to enhance security against phishing attacks.
• Utilize Conditional Access authentication strength to mandate phishing-resistant authentication for both employees and external users accessing critical applications.
• Understand and select appropriate access settings for external collaboration to align with your organization’s security needs.
• Train Microsoft Teams users to verify the “External” tagging on communication attempts from external entities, encouraging caution regarding shared information, and never sharing account details or authorizing sign-in requests over chat.