New Social Engineering Attack Targets Microsoft Teams

August 22, 2023
Musa Nadir Sani

Midnight Blizzard

Midnight Blizzard (also known as Cozy Bear, and APT29) is a Russian hacker group allegedly affiliated with one or more Russian intelligence agencies. The group has been identified as the Advanced Persistent Threat group, APT29, reportedly behind the 2020 SolarWinds supply-chain attacks where trojanized software updates were used to infect thousands of the managed security service provider (MSSP) customers.


The group’s most recent campaign involved the use of credential theft phishing messages sent via Microsoft Teams chats. The actors use compromised Microsoft 365 tenants belonging to small businesses to create new domains that pose as technical support entities. These are then used to send lures through Teams messages to deceive users into approving multifactor authentication (MFA) prompts. When successful, the hackers are provided with the targeted organization’s credentials. 

For the operation to be successful, Midnight Blizzard either already has valid credentials for the users being targeted or targets users with passwordless authentication set on their accounts. Both require the user to enter a code displayed during the authentication flow. 

Following the successful deception, the actor gains access to the user’s Microsoft 365 account, allowing them to steal information from the compromised tenant.

How to identify the attack

  1. Targeted users receive a Microsoft Teams message request from an external user pretending to be a technical support or security team staff.

Microsoft Teams

  1. If the user accepts the request, they receive a message that attempts to convince them to enter a code into their Microsoft Authenticator app on their mobile device.

help us keep your account secure

  1. If the message request is successfully accepted by the user, the threat actor is granted a token to authenticate as the targeted user, completing the authentication flow and automatically gaining access to the user’s Microsoft 365 account.

Indicators of Compromise (IOC’s)


  • msftprotection.onmicrosoft[.]com
  • identityVerification.onmicrosoft[.]com
  • accountsVerification.onmicrosoft[.]com
  • azuresecuritycenter.onmicrosoft[.]com
  • Teamsprotection.onmicrosoft[.]com


Microsoft recommended the following to mitigate the risk of the threat.

Implement Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices. 

Related Posts

Scroll to Top