Cozy Bear hijacks SME Microsoft 365 tenants in latest campaign

A new campaign of social engineering activity targeting organisations of interest to Russian intelligence has been observed in the wild, in which already-compromised Microsoft 365 tenants owned by legitimate small businesses are being used to ensnare victims through bogus Microsoft Teams messages.

The activity is attributed to the advanced persistent threat (APT) group most popularly known as Cozy Bear, which under Microsoft’s revised terminology was recently rebranded from Nobelium to Midnight Blizzard, but also goes by APT29 and UNC2452 depending on whose report you read. The group is arguably most famous for the 2020/1 SolarWinds Sunburst incident.

In a new advisory posted on 2 August, Microsoft revealed how Cozy Bear exploited unwitting SMEs to create new domains using the legitimate onmicrosoft.com subdomain. These domains would have appeared to a casual observer to be technical support entities and used cyber security-themed terminology.

The group was then able to add a new user associated with the fraudulent domain and use that identity to send Teams messages to potential targets, by means of which it attempted to steal credentials by engaging the user and getting them to approve multifactor authentication (MFA) prompts.

“Our current investigation indicates this campaign has affected fewer than 40 unique global organisations,” said Microsoft.

“Spearphishing attacks target individuals with access to specific information... As with your email, you should be sceptical of unsolicited approaches from anyone external to the organisation trying to reach out through Teams”

“The organisations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organisations (NGOs), IT services, technology, discrete manufacturing and media sectors.

“Microsoft has mitigated the actor from using the domains and continues to investigate this activity and work to remediate the impact of the attack. As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.”

Cozy Bear’s latest ruse is another example of the APT’s remarkable consistent and persistent approach to operational targeting, and its determination to stay one step ahead of defenders by constantly innovating its tactics, techniques and procedures (TTPs).

It has often been observed using somewhat novel methods to entice its victims into making a mistake. Last month, Palo Alto Networks’ Unit 42 caught it piggybacking on an advert for a used BMW, posted online by a Polish diplomat in Kyiv.

My1Login CEO Mike Newman said this latest technique would have been almost impossible for the untrained eye to spot.

“Because the attackers were using a legitimate Microsoft domain, it would only have taken a very curious and security-savvy user to investigate the prompts further and realise they were fake. As a result of this, even despite the low number of organisations targeted, this attack would have picked up many victims,” he said.

“Businesses therefore need to take their own remediation action against these threats, and one of the best ways to do this is by removing passwords and credentials from users’ hands. This means even when highly sophisticated scams do reach user inboxes, users can’t be tricked into handing over their credentials because they simply do not know them.”

ESET government affairs director Andy Garth added: “Spear phishing attacks target individuals with access to specific information, thus requiring the attackers to undertake background work to hone their approach, gain the confidence of their victims and lure them. As with your email, you should also be sceptical of unsolicited approaches from anyone external to the organisation trying to reach out through Teams.”