Microsoft Threat Intelligence has identified highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard (previously tracked as NOBELIUM). This latest activity shows Midnight Blizzard’s ongoing use of compromised Microsoft 365 tenants to execute social engineering, steal credentials, and gain access to targeted organizations. #MidnightBlizzard #NOBELIUM #MicrosoftTeams #MFA #FOGGYWEB #MAGICWEB #ADFS
Keypoints
- The attacker uses compromised Microsoft 365 tenants from small businesses to host and launch social engineering lures with security-themed domains.
- Lures are deployed via Microsoft Teams chats to solicit MFA codes and steal credentials from targeted organizations.
- The campaign has affected fewer than 40 unique global organizations, targeting sectors such as government, NGOs, IT services, technology, manufacturing, and media.
- Midnight Blizzard employs a mix of credential attacks (token theft, spear-phishing, password spray) and cloud-focused techniques, including AD FS malware FOGGYWEB and MAGICWEB.
- The actor leverages service providers’ trust chains to reach downstream customers and may attempt device enrollment via Entra ID to bypass access controls.
-
- The operation reflects a persistent espionage objective with a focus on long-term access and information theft from targeted tenants.
-
- Microsoft recommends user training, phishing-resistant practices, and Defender/Sentinel hunting capabilities to detect and mitigate this activity.
MITRE Techniques
- [T1566.003] Spearphishing via Service – The attack uses Microsoft Teams as the delivery channel for credential theft phishing lures. Quote: ‘credential theft phishing lures sent as Microsoft Teams chats.’
- [T1078] Valid Accounts – The actor uses or targets valid accounts to access Microsoft 365 tenants. Quote: ‘The actor has obtained valid account credentials …’
- [T1134] Access Token Manipulation – The attacker is granted a token to authenticate as the targeted user. Quote: ‘the actor is granted a token to authenticate as the targeted user.’
- [T1583.001] Acquire Infrastructure – The actor uses compromised Microsoft 365 tenants to host and launch the social engineering attack. Quote: ‘uses Microsoft 365 tenants owned by small businesses they have compromised … to host and launch their social engineering attack.’
- [T1199] Trusted Relationships – Exploitation of service providers’ trust chain to gain access to downstream customers. Quote: ‘exploitation of service providers’ trust chain to gain access to downstream customers.’
- [T1036] Masquerading – The actor uses security-themed or product name-themed keywords to create a new subdomain and tenant name to lend legitimacy to the messages. Quote: ‘uses security-themed or product name-themed keywords to create a new subdomain and new tenant name to lend legitimacy to the messages.’
- [T1041] Exfiltration – Post-compromise activity involves information theft from the compromised Microsoft 365 tenant. Quote: ‘post-compromise activity, which typically involves information theft from the compromised Microsoft 365 tenant.’
Indicators of Compromise
- [Domain name] Malicious actor-controlled subdomains – mlcrosoftaccounts.onmicrosoft[.]com, msftonlineservices.onmicrosoft[.]com, msonlineteam.onmicrosoft[.]com, msftservice.onmicrosoft[.]com, noreplyteam.onmicrosoft[.]com, accounteam.onmicrosoft[.]com, teamsprotection.onmicrosoft[.]com, identityverification.onmicrosoft[.]com, msftprotection.onmicrosoft[.]com, accountsverification.onmicrosoft[.]com, azuresecuritycenter.onmicrosoft[.]com