Microsoft said that Russian hackers tricked Microsoft Teams users into revealing their login credentials, and this has affected over 40 global organizations since late May.

Cybercriminals Impersonate Tech Support To Obtain Microsoft Teams Login Information

Adriana MaraisAugust 3, 23 hacking, Microsoft

On Wednesday, researchers from Microsoft revealed that a hacking group associated with the Russian government has targeted numerous international organizations. Their strategy involves tricking users into believing they are interacting with technical support in Microsoft Teams chats, with the intention of stealing their login credentials.

These “highly targeted” social engineering attacks have affected “fewer than 40 unique global organizations” since late May, Microsoft researchers said in a blog post, adding that the company is investigating.

The Russian Embassy in Washington did not immediately respond to a request for comment.

Hackers set up domains and accounts that looked like tech support and tried to engage Teams users in conversations and get them to accept multi-factor authentication (MFA) prompts, the researchers said.

“Microsoft has stopped the actor from using the domains and continues to investigate this activity and work to correct the impact of the attack,” they added.

Teams is a business communication platform developed by Microsoft with more than 280 million active users, according to the company’s January financial statements.

MFAs are a widely recommended security measure to prevent hacking or credential theft. The targeting of Teams suggests that hackers are finding new ways to bypass it.

The hacking group behind this operation, known in the industry as Midnight Blizzard or APT29, is based in Russia and has been linked by the UK and US governments to the country’s foreign intelligence service, researchers said.

“The organizations targeted by this activity likely demonstrate Midnight Blizzard’s specific espionage goals targeting the government, NGO, IT services, technology, discrete industry, and media sectors,” they said, without naming any targets.

“This latest attack, combined with past activity, further demonstrates Midnight Blizzard’s continued pursuit of its goals using both new and common technologies,” the researchers wrote.

They added that Midnight Blizzard has been known to target such organizations mainly in the United States and Europe.

Hackers used already compromised Microsoft 365 accounts owned by small businesses to create new domains that appeared to be tech support entities and included the word “microsoft,” according to information on the Microsoft blog. Accounts tied to those domains then sent phishing messages to people through Teams, researchers said.