Russian Hackers Posed as Microsoft Tech to Breach Organizations

Russia-backed hackers posed as Microsoft Teams tech support to breach around 40 global organizations, including government agencies.

Microsoft said Wednesday that it traced the "highly targeted" hacking campaign to a group called "Midnight Blizzard," more commonly known as APT29 or Cozy Bear. That group is part of Russia's Foreign Intelligence Service (SVR).

The attacks began in May.

"To facilitate their attack, the actor uses Microsoft 365 tenants owned by small businesses they have compromised in previous attacks to host and launch their social engineering attack," Microsoft said in its blog.

From there, the hackers created domains that masqueraded as technical support from Microsoft Teams, then sending out requests to chat with a user about security.

"If the target user accepts the message request, the user then receives a Microsoft Teams message from the attacker attempting to convince them to enter a code into the Microsoft Authenticator app on their mobile device," Microsoft said.

"If the targeted user accepts the message request and enters the code into the Microsoft Authenticator app, the threat actor is granted a token to authenticate as the targeted user. The actor gains access to the user's Microsoft 365 account, having completed the authentication flow."

It's the second embarrassment for Microsoft in a matter of weeks.

Chinese hackers earlier this month were able to gain access to email accounts of U.S. government employees by exploiting a Microsoft cloud bug.

• Chinese Hackers Breach US Ambassador's Emails: WSJ
• Russian Ransomware Group Breached Federal Agencies