Threat Insight: Threat Actors Observed Leveraging Microsoft Teams
Disclosures from Microsoft’s Threat Intelligence team outline a social engineering tactic that weaponizes Microsoft Teams chats. The identified threat actor, Midnight Blizard, was observed using a compromised Microsoft 365 tenant to create new domains posing as technical support companies. Using these faux domains, the actor sends Microsoft Teams messages to targeted companies and end users with the goal of harvesting credentials. When successful, the actor would log in with those stolen credentials while instructing the user to approve multifactor authentication (MFA) prompts.
Associated activities observed with this attack are spear phishing and password spraying/brute force attempts. Some indicators to be aware of are new subdomains added to a compromised tenant, Teams message requests that the user must approve and new devices added to the organization on Microsoft Entra ID. So far, these observed attacks have targeted diplomatic entities.
- User education and awareness about phishing, unsolicited MFA requests and social engineering are pivotal in reducing the likelihood of these types of attacks.
- Evaluate the implementation of conditional access application control in Microsoft Defender for users connecting from unmanaged devices.
- Strengthen phishing defenses by deploying email security software to be used along with antivirus protection tools, restrict mail relays to only allow specific domains and IPs to forward email and verify senders through reverse DNS lookup before accepting incoming messages.
-Kaseya Threat Management Team