Phishing campaign via Microsoft Teams targeting public sector organisations

Target Industry

Public sector organisations around the world.

Updated Target Industry: 14th September 2023

Public, energy and retail sector organisations around the world.

Overview

The Quorum Cyber Incident Response and Threat Intelligence team has detected a phishing campaign that is being conducted via Microsoft Teams. The attack chain involved the creation of an external Microsoft Teams account, whereby phishing messages containing a malicious ‘.zip’ attachment were sent to victims. Additionally, the threat actor established new groups within the Microsoft Teams application and added participants individually in order to deliver the phishing messages containing malicious executable content.

A full technical analysis report of the incident will be released on the Quorum Cyber website in due course.

In addition to the incident, intelligence suggests that the Russian nation-state sponsored threat actor group, tracked as Midnight Blizzard, recently engaged in a similar phishing campaign via Microsoft Teams, targeting worldwide public sector organisations. In these instances, the threat actor group also applied the vector via an external account, through a ‘onmicrosoft[.]com’ domain. It was further detected that in such cases Midnight Blizzard operators applied these domains to perform targeted social engineering by sending technical support decoy messages to deceive their targets into approving multi-factor authentication (MFA) prompts.

Updated Overview: 14th September 2023

A new Microsoft Teams phishing campaign was recently detected that was associated with the delivery of malicious attachments, resulting in the installation of the DarkGate Loader malware. As with previous campaigns, the attack chain involved the phishing messages being sent by compromised external Office 365 accounts to target organisations.

Impact

The method of intrusion, as well as the nature of the Microsoft Teams message delivery in such incidents, are highly sophisticated and specifically designed to deceive the intended victim, resulting in difficulties involving detection.

If undetected and denied access by an endpoint detection and response (EDR) solution, threat actors engaged in this form of phishing campaign will almost certainly compromise sensitive data contained within the target environment. If successful, the compromise of sensitive data is almost certainly based on the typical deployment of C2 infrastructure by threat actors associated with these phishing campaigns. Therefore, the implementation of immediate defensive action is vital to prevent the compromise of target infrastructure and data.

Updated Impact: 14th September 2023

Interacting with the malicious attachments mentioned above triggers the download of the ZIP file from a SharePoint URL, which in turn contains an LNK file masquerading as a PDF document.

DarkGate is a potent malware that supports a wide range of malicious operations, including cryptocurrency mining, reverse shell establishment, keylogging, clipboard and system information stealing. As such, installation of the malware on target systems will almost certainly result in the compromise of the integrity of data

Incident Detection

Organisations can detect for phishing activity in their environment by identifying users that were targeted with the attack vector. Microsoft has established a strategy of hunting for the threat via searches conducted in Microsoft Purview, as well as the utilisation of Threat Intelligence Mapping analytics within Microsoft Sentinel.

Affected Products

Microsoft Teams.

Containment, Mitigations & Remediations

It is strongly recommended that the following defensive strategies, outlined by Microsoft, are implemented in order to mitigate against the threat of phishing attempts via Microsoft Teams:

• Deploy phishing-resistant authentication methods for users
• Implement Conditional Access authentication with regards to employees and external users for business-critical applications
• Specify trusted Microsoft 365 organisations to outline which external domains are to be permitted or blocked
• Enable Microsoft 365 auditing to allow for follow-up investigations
• Select the best access settings for external collaboration regarding the organisation
• Only allow known devices that adhere to Microsoft’s recommended security baseline requirements
• Educate users in the organisation with regards to social engineering and credential phishing attacks, with an emphasis on refraining from entering MFA codes sent via unsolicited messages
• Educate Microsoft Teams users to verify ‘External’ tagging originating from external entities; ensure that users never share their account information or authorise sign-in requests via the Microsoft Teams chat
• Educate users to review sign-in activity and to note suspicious sign-in attempts
• Implement Conditional Access App Control in Microsoft Defender for Cloud Apps with regards to users connecting from unmanaged devices.

Furthermore, it is strongly recommended that the security best practices outlined below are followed to bolster the security posture of an organisation against potential attacks originating from Russian Foreign Intelligence Service (SVR) affiliated threat actor groups, such as Midnight Blizzard:

• SVR threat actors regularly exploit publicly known vulnerabilities and complex supply chain attacks to gain initial access onto target networks. Managing and applying security updates as quickly as possible will help reduce the attack surface available for SVR actors and force them to use higher equity tooling to gain a foothold in target networks.
• Despite the complexity of supply chain attacks, following basic cyber security principles will make it harder for sophisticated threat actors to compromise target networks. Implementing network security controls and effectively managing user privileges will prevent lateral movement between hosts, which will limit the effectiveness of complex attacks.
• Organisation may be able to detect supply chain attacks via heuristic detection methodologies, such as the volume of emails being accessed or by identifying anomalous network traffic.
• Organisations should ensure sufficient logging (both cloud and on-premises) is enabled and stored for a suitable period of time to identify compromised accounts, exfiltrated material and threat actor infrastructure. Mail retention and content policies should also be implemented to reduce the amount of sensitive data available upon successful compromise.
• As part of Microsoft’s ‘Advanced Auditing’ functionality, Microsoft has introduced a new mailbox auditing action called ‘MailItemsAccessed’ which allows for the investigation of compromised email accounts. This is part of Exchange mailbox auditing and is enabled by default for users that are assigned an Office 365 or Microsoft 365 E5 licence or for organisations with a Microsoft 365 E5 compliance add-on subscription.
• Protect devices and networks by ensuring that they are up to date. Use the latest supported versions, apply security patches promptly, use anti-virus platforms and scan regularly to guard against known malware threats.
• Enforce MFA to reduce the impact of password compromises.

Indicators of Compromise

Incident Network Indicator:

5[].]188[.]87[.]58

Incident Email Address:

patricia[].]toolan@tionov[].]onmicrosoft[].]com

For a full list of Indicators of Compromise relating to the Midnight Blizzard threat actor group, as well as their recent Microsoft Teams phishing campaign, please refer to the Quorum Cyber Threat Intelligence Midnight Blizzard Threat Actor Profile and the Microsoft Security Threat Intelligence Blog, respectively.

Updated Indicators of Compromise: 14th September 2023

andrew[.]rennie[@]sophiaturner698[.]onmicrosoft[.]com

Threat Landscape

Midnight Blizzard is known for its interest in attaining secret geopolitical data that would be advantageous to the Russian state. The threat actor group performs within the context of the SVR which has disruptive capabilities to initiate advanced cyber espionage operations. As such, Midnight Blizzard acts with the motivation of conducting cyber espionage.

The objectives of Midnight Blizzard remain consistent. The group is known to apply a diverse range of initial ingress mechanisms that include stolen credentials, supply chain attacks, as well as the deployment of malware variants known as FOGGYWEB and MAGICWEB via the Active Directory Federation Service (AD FS).

The implementation of phishing attacks via Microsoft Teams in the incident reported on, combined with the previously mentioned attack vectors, indicates that Midnight Blizzard will almost certainly continue ongoing execution of their objectives, whilst continuously expanding their set of techniques.

Updated Threat Landscape: 14th September 2023

Throughout recent months, the rate of DarkGate malware deployment has increased via several cyber-attack vectors, including phishing and malvertising. Although, at the time of writing, DarkGate has yet to emerge as a widespread threat, the expanded targeting trends as well as the recruitment of numerous infection vectors has led to an assessment that it is likely that the prevalence of this threat will continue to surge in the coming months.

Threat Group

Midnight Blizzard (also known as APT29) is a threat actor group suspected to be attributed to the SVR and has been active since 2008. The nation-state sponsored group employs a wide variety of advanced techniques to execute their cyber operations in support of the SVR’s intelligence requirements.

Midnight Blizzard has been suspected of being involved in several high-profile attempted intrusions and compromises involving public sector organisations, including the Office Monkeys campaign in 2014, targeting a Washington D.C.-based private research institute, the Pentagon in 2015, the Democratic National Committee (DNC), US think tanks in 2016, the Norwegian Government and several Dutch ministries in 2017. The group has also targeted organisations within the education sector that are affiliated with medical research. It is highly likely that the group targets such institutions for the purposes of cyber espionage and to exfiltrate data relating to organisations involved in the advancement of the critical national infrastructure (CNI) of Western nations.

Midnight Blizzard applies a wide range of bespoke tools developed in a variety of programming languages, which demonstrates the resources at its disposal. The group also utilises publicly available commodity tools such as Mimikatz and Cobalt Strike.

Mitre Methodologies

Initial Access Technique:

T1566 – Phishing

Further Information

Quorum Cyber Threat Intelligence Midnight Blizzard Threat Actor Profile

Telekom Security DarkGate Loader Analysis

Truesec Incident Analysis