{ "id": "1a45ef07-892c-4c89-8a64-400e3adeb5f6", "created_at": "2026-04-06T00:16:00.527313Z", "updated_at": "2026-04-10T03:37:33.15647Z", "deleted_at": null, "sha1_hash": "cd0f92b37e775e1d4ffa3b235044bdcfc9e74b82", "title": "Midnight Blizzard conducts targeted social engineering over Microsoft Teams | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 242803, "plain_text": "Midnight Blizzard conducts targeted social engineering over\r\nMicrosoft Teams | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2023-08-02 · Archived: 2026-04-05 18:31:05 UTC\r\nMicrosoft Threat Intelligence has identified highly targeted social engineering attacks using credential theft\r\nphishing lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard\r\n(previously tracked as NOBELIUM). This latest attack, combined with past activity, further demonstrates\r\nMidnight Blizzard’s ongoing execution of their objectives using both new and common techniques. In this latest\r\nactivity, the threat actor uses previously compromised Microsoft 365 tenants owned by small businesses to create\r\nnew domains that appear as technical support entities. Using these domains from compromised tenants, Midnight\r\nBlizzard leverages Teams messages to send lures that attempt to steal credentials from a targeted organization by\r\nengaging a user and eliciting approval of multifactor authentication (MFA) prompts. As with any social\r\nengineering lures, we encourage organizations to reinforce security best practices to all users and reinforce that\r\nany authentication requests not initiated by the user should be treated as malicious.\r\nOur current investigation indicates this campaign has affected fewer than 40 unique global organizations. The\r\norganizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed\r\nat government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and\r\nmedia sectors. Microsoft has mitigated the actor from using the domains and continues to investigate this activity\r\nand work to remediate the impact of the attack. As with any observed nation-state actor activity, Microsoft has\r\ndirectly notified targeted or compromised customers, providing them with important information needed to secure\r\ntheir environments.\r\nMidnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the\r\nForeign Intelligence Service of the Russian Federation, also known as the SVR. This threat actor is known to\r\nprimarily target governments, diplomatic entities, non-government organizations (NGOs), and IT service\r\nproviders primarily in the US and Europe. Their focus is to collect intelligence through longstanding and\r\ndedicated espionage of foreign interests that can be traced to early 2018. Their operations often involve\r\ncompromise of valid accounts and, in some highly targeted cases, advanced techniques to compromise\r\nauthentication mechanisms within an organization to expand access and evade detection.\r\nMidnight Blizzard is consistent and persistent in their operational targeting, and their objectives rarely change.\r\nThey utilize diverse initial access methods ranging from stolen credentials to supply chain attacks, exploitation of\r\non-premises environments to laterally move to the cloud, exploitation of service providers’ trust chain to gain\r\naccess to downstream customers, as well as the Active Directory Federation Service (AD FS) malware known as\r\nFOGGYWEB and MAGICWEB. Midnight Blizzard (NOBELIUM) is tracked by partner security vendors as\r\nAPT29, UNC2452, and Cozy Bear.\r\nMidnight Blizzard’s latest credential phishing attack\r\nhttps://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/\r\nPage 1 of 6\n\nMidnight Blizzard regularly utilizes token theft techniques for initial access into targeted environments, in\r\naddition to authentication spear-phishing, password spray, brute force, and other credential attacks. The attack\r\npattern observed in malicious activity since at least late May 2023 has been identified as a subset of broader\r\ncredential attack campaigns that we attribute to Midnight Blizzard.\r\nUse of security-themed domain names in lures\r\nTo facilitate their attack, the actor uses Microsoft 365 tenants owned by small businesses they have compromised\r\nin previous attacks to host and launch their social engineering attack. The actor renames the compromised tenant,\r\nadds a new onmicrosoft.com subdomain, then adds a new user associated with that domain from which to send the\r\noutbound message to the target tenant. The actor uses security-themed or product name-themed keywords to\r\ncreate a new subdomain and new tenant name to lend legitimacy to the messages. These precursory attacks to\r\ncompromise legitimate Azure tenants and the use of homoglyph domain names in social engineering lures are part\r\nof our ongoing investigation. Microsoft has mitigated the actor from using the domains.\r\nIn this activity, Midnight Blizzard either has obtained valid account credentials for the users they are targeting, or\r\nthey are targeting users with passwordless authentication configured on their account – both of which require the\r\nuser to enter a code that is displayed during the authentication flow into the prompt on the Microsoft Authenticator\r\napp on their mobile device.\r\nAfter attempting to authenticate to an account where this form of MFA is required, the actor is presented with a\r\ncode that the user would need to enter in their authenticator app. The user receives the prompt for code entry on\r\ntheir device. The actor then sends a message to the targeted user over Microsoft Teams eliciting the user to enter\r\nthe code into the prompt on their device.\r\nStep 1: Teams request to chat\r\nThe target user may receive a Microsoft Teams message request from an external user masquerading as a technical\r\nsupport or security team.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/\r\nPage 2 of 6\n\nFigure 1: Screenshot of a Microsoft Teams message request from a Midnight Blizzard-controlled\r\naccount\r\nStep 2: Request authentication app action\r\nIf the target user accepts the message request, the user then receives a Microsoft Teams message from the attacker\r\nattempting to convince them to enter a code into the Microsoft Authenticator app on their mobile device.\r\nFigure 2: A Microsoft Teams prompt with a code and instructions.\r\nStep 3: Successful MFA authentication\r\nIf the targeted user accepts the message request and enters the code into the Microsoft Authenticator app, the\r\nthreat actor is granted a token to authenticate as the targeted user. The actor gains access to the user’s Microsoft\r\n365 account, having completed the authentication flow.\r\nThe actor then proceeds to conduct post-compromise activity, which typically involves information theft from the\r\ncompromised Microsoft 365 tenant. In some cases, the actor attempts to add a device to the organization as a\r\nmanaged device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent\r\nconditional access policies configured to restrict access to specific resources to managed devices only.\r\nRecommendations\r\nhttps://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/\r\nPage 3 of 6\n\nMicrosoft recommends the following mitigations to reduce the risk of this threat.\r\nPilot and start deploying phishing-resistant authentication methods for users.\r\nImplement Conditional Access authentication strength to require phishing-resistant authentication for\r\nemployees and external users for critical apps.\r\nApply security best practices for Microsoft Teams. Refer to the security guide for Microsoft Teams.\r\nUnderstand and select the best access settings for external collaboration for your organization.\r\nSpecify trusted Microsoft 365 organizations to define which external domains are allowed or\r\nblocked to chat and meet.\r\nKeep Microsoft 365 auditing enabled so that audit records could be investigated if required.\r\nAllow only known devices that adhere to Microsoft’s recommended security baselines.\r\nEducate users about social engineering and credential phishing attacks, including refraining from entering\r\nMFA codes sent via any form of unsolicited messages.\r\nEducate Microsoft Teams users to verify ‘External’ tagging on communication attempts from\r\nexternal entities, be cautious about what they share, and never share their account information or\r\nauthorize sign-in requests over chat.\r\nEducate Microsoft Teams users about accepting or blocking people outside the organization who\r\nsend messages in Microsoft Teams.\r\nEducate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.\r\nImplement Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting\r\nfrom unmanaged devices.\r\nIndicators of compromise\r\nIndicator Type Description\r\nmlcrosoftaccounts.onmicrosoft[.]com\r\nDomain\r\nname\r\nMalicious actor-controlled\r\nsubdomain\r\nmsftonlineservices.onmicrosoft[.]com\r\nDomain\r\nname\r\nMalicious actor-controlled\r\nsubdomain\r\nmsonlineteam.onmicrosoft[.]com\r\nDomain\r\nname\r\nMalicious actor-controlled\r\nsubdomain\r\nmsftservice.onmicrosoft[.]com\r\nDomain\r\nname\r\nMalicious actor-controlled\r\nsubdomain\r\nnoreplyteam.onmicrosoft[.]com\r\nDomain\r\nname\r\nMalicious actor-controlled\r\nsubdomain\r\naccounteam.onmicrosoft[.]com\r\nDomain\r\nname\r\nMalicious actor-controlled\r\nsubdomain\r\nhttps://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/\r\nPage 4 of 6\n\nteamsprotection.onmicrosoft[.]com\r\nDomain\r\nname\r\nMalicious actor-controlled\r\nsubdomain\r\nidentityverification.onmicrosoft[.]com\r\nDomain\r\nname\r\nMalicious actor-controlled\r\nsubdomain\r\nmsftprotection.onmicrosoft[.]com\r\nDomain\r\nname\r\nMalicious actor-controlled\r\nsubdomain\r\naccountsverification.onmicrosoft[.]com\r\nDomain\r\nname\r\nMalicious actor-controlled\r\nsubdomain\r\nazuresecuritycenter.onmicrosoft[.]com\r\nDomain\r\nname\r\nMalicious actor-controlled\r\nsubdomain\r\nHunting guidance\r\nMicrosoft Purview\r\nCustomers hunting for related activity in their environment can identify users that were targeted with the phishing\r\nlure using content search in Microsoft Purview. A content search can be created for selected Exchange mailboxes\r\n(which include Teams messages) using the following keywords (remove the [] around the “.” before use): \r\nmlcrosoftaccounts.onmicrosoft[.]com\r\nmsftonlineservices.onmicrosoft[.]com\r\nmsonlineteam.onmicrosoft[.]com\r\nmsftservice.onmicrosoft[.]com\r\nnoreplyteam.onmicrosoft[.]com\r\naccounteam.onmicrosoft[.]com\r\nteamsprotection.onmicrosoft[.]com\r\nidentityverification.onmicrosoft[.]com\r\nmsftprotection.onmicrosoft[.]com\r\naccountsverification.onmicrosoft[.]com\r\nazuresecuritycenter.onmicrosoft[.]com\r\nWe detected a recent change to your preferred Multi-Factor Authentication (MFA)\r\nThe search results will include the messages that match the criteria. The first result will appear to be from\r\n\u003cthreadid\u003e@unq.gbl.spaces addressed to the target user and the threat actor (i.e., the request to chat as described\r\nin Step 1), followed by the message sent by the threat actor, as shown in the Microsoft Purview image below:\r\nhttps://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/\r\nPage 5 of 6\n\nFigure 3: Message sent by the threat actor, as shown in Microsoft Purview\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with “TI map”)\r\nto automatically match indicators associated with Midnight Blizzard in Microsoft Defender Threat Intelligence\r\nwith data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat\r\nIntelligence solution from the Microsoft Sentinel Content Hub to have the Defender Threat Intelligence connector\r\nand analytics rule deployed in their Sentinel workspace. Learn more about the Content Hub.\r\nMicrosoft Sentinel also has a range of detection and threat hunting content that customers can use to detect\r\nactivity related to the activity described in this blog:\r\nAzure portal sign-in from another Azure tenant\r\nSuccessful sign-in from non-compliant device\r\nUser accounts – Sign-in failure due to CA spikes\r\nNew onmicrosoft domain added to tenant\r\nFurther reading\r\nRead about the threat actor Midnight Blizzard (formerly tracked as NOBELIUM).\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on Twitter\r\nat https://twitter.com/MsftSecIntel.\r\nSource: https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-tea\r\nms/\r\nhttps://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA", "MITRE" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/" ], "report_names": [ "midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434560, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cd0f92b37e775e1d4ffa3b235044bdcfc9e74b82.pdf", "text": "https://archive.orkl.eu/cd0f92b37e775e1d4ffa3b235044bdcfc9e74b82.txt", "img": "https://archive.orkl.eu/cd0f92b37e775e1d4ffa3b235044bdcfc9e74b82.jpg" } }