Russia's Cozy Bear is back and hitting Microsoft Teams to phish top targets

An infamous Kremlin-backed pack has been utilizing Microsoft Teams chats successful attempts to phish marks successful governments, NGOs, and IT businesses, according to nan Windows giant.

In its latest crime spree, a unit that Microsoft Threat Intelligence now tracks arsenic Midnight Blizzard uses antecedently compromised Microsoft 365 tenants to create domains that masquerade arsenic organizations offering tech support. The pack past uses these domains to nonstop Teams chat messages to targets successful dream they travel links to webpages that phish their credentials – instrumentality victims into entering their login details, basically.

Microsoft utilized to telephone this group Nobelium, while different information researchers way nan Russian pack arsenic APT29 aliases Cozy Bear. This group, which has been linked to Russia's Foreign Intelligence Service, is nan unit accused of compromising nan Democratic National Committee earlier nan 2016 predetermination and pulled disconnected nan SolarWinds proviso concatenation attack.

"Our existent investigation indicates this run has affected less than 40 unsocial world organizations," Redmond said successful a write-up.

"The organizations targeted successful this activity apt bespeak circumstantial espionage objectives by Midnight Blizzard directed astatine government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors."

As pinch immoderate phishing campaign, this 1 starts pinch a lure — personification from extracurricular nan victim's statement claiming to beryllium from tech support aliases a information team. If nan unfortunate OKs nan miscreants' petition to chat, nan phisher past tries to instrumentality their people into entering a codification into nan Microsoft authenticator app connected their mobile device, giving nan criminal a token to authenticate arsenic nan unfortunate and return complete nan user's 365 relationship to pillage nan accusation within.

• US legislator victim-blames Microsoft for Chinese hack
• Microsoft admits unauthorized entree to Exchange Online, blames Chinese gang
• Stolen Microsoft cardinal whitethorn person opened up a batch much than US govt email inboxes
• Azure issues not adequately fixed for months, kick bug hunters

"In immoderate cases, nan character attempts to adhd a instrumentality to nan statement arsenic a managed instrumentality via Microsoft Entra ID (formerly Azure Active Directory), apt an effort to circumvent conditional entree policies configured to restrict entree to circumstantial resources to managed devices only," Microsoft's threat intel squad explained.

Microsoft besides provided guidance to thief organizations place users targeted by these Teams phishing lures, arsenic good arsenic a database of subdomains controlled by Midnight Blizzard.

While we applaud Redmond for getting retired up of nan latest criminal efforts to discuss accounts, nan timing is unfortunate arsenic nan Windows elephantine is already fighting respective different information fires affecting its products and users.

In July Microsoft admitted that Chinese spies broke into Exchange Online email accounts, including those belonging to nan US Department of State and nan US Department of Commerce. 

Last week, US Senator Ron Wyden (D-OR) blamed Microsoft successful scathing position for nan incident and demanded 3 abstracted authorities agencies motorboat investigations and clasp Redmond responsible for "negligent cybersecurity practices."

Then connected Wednesday nan US House Committee connected Oversight and Accountability opened an investigation into nan Chinese cyber snooping connected authorities agencies. 

In abstracted letters sent to Secretary of State Antony Blinken [PDF] and Secretary of Commerce Gina Raimondo [PDF], whose Microsoft email relationship was among those compromised, nan lawmakers said nan authorities break-ins "reflects a caller level of accomplishment and sophistication from China's hackers."

"The incident moreover raises nan anticipation that Chinese hackers whitethorn beryllium capable to entree high-level machine networks and stay undetected for months if not years," nan letters continue.

The elected officials requested unit briefings pinch some national agencies "as soon arsenic imaginable but nary later than August 9," and said they want to cognize specifications astir nan find and effect of nan intrusion, really each section responded, and what they are doing to forestall early failings. ®