Midnight Blizzard Conducts Targeted Social Engineering Attacks Over Microsoft Teams
Social engineering threats continue to evolve in sophistication, with attackers exploring new avenues to take advantage of the weak link in cybersecurity- the human factor. One such recent threat that has been discovered by Help AG’s managed security services team is from a threat actor called ‘Midnight Blizzard,’ previously known as NOBELIUM. Linked to Iranian threat actors, APT34, they have staged a series of targeted social engineering attacks.
Focus of the Attack
Organizations in the United Arab Emirates have been at the forefront of Midnight Blizzard’s malicious pursuits. However, it’s important to note that their activities have cast a wider net, affecting global organizations.
Modus Operandi
Midnight Blizzard has abused a platform we all have grown reliant on – Microsoft Teams. By leveraging chats in Teams, they disseminate phishing lures aimed at credential theft. Their strategy primarily targets compromised Microsoft 365 tenants of small businesses. They cunningly create domains that pose as technical support entities, which they then use to dispatch Teams messages in hopes of stealing credentials.
Broader Objective
The choice of their targets is not random. The threat actor behind this campaign focuses on certain government and industry sectors such as, IT services and technology providers, manufacturing companies, and media outlets pursuing espionage agenda. With less than 40 global organizations known to be affected so far, the campaign seems highly targeted.
Guarding Against the Threat
As Midnight Blizzard’s tactics come to light, it’s pivotal for organizations to bolster their defenses. Some recommendations include, but not limited to the best practices listed below.
- Keep all systems updated.
- Educate employees about phishing threats and suspicious emails.
- Avoid unknown or untrusted links and attachments.
- Enforce restricted PowerShell script execution for users.
- Regularly monitor networks for abnormal behaviors.
- Implement strong password policies coupled with Multi-Factor Authentication (MFA).
In today’s interconnected era, the landscape of cybersecurity is in a perpetual state of flux. The ingenious technique employed by Midnight Blizzard, abusing Microsoft Teams, serves as a stark reminder of the imperative to lead the charge against such evolving threats. Organizations must remain vigilant, empower and educate their teams, and fortify their defenses to fend off such sophisticated threats.
Navigate. Mitigate. Elevate.