Alert - Midnight Blizzard conducts targeted social engineering over Microsoft Teams

Audience

This Alert is intended for IT professionals and managers.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

On August 2, 2023, Microsoft Threat Intelligence published an advisory^{Footnote 1} highlighting details of targeted social engineering activity by threat actor Midnight Blizzard (previously tracked by Microsoft as NOBELIUM) taking place over Microsoft Teams. Using previously compromised Microsoft 365 tenants renamed to appear as technical support entities, Midnight Blizzard steals credentials by sending messages over Teams to engage with users and bypass multifactor authentication (MFA) prompts.

While this campaign has affected fewer than 40 organizations globally, the Cyber Centre has received reports of attempts within Canada.

Suggested actions

The Cyber Centre recommends organizations:

• Review the Microsoft advisory and look for indicators of compromise to determine if related activity has occurred. If activity has been detected and a compromise has occurred:
  • Reimage compromised systems.
  • Reset all potentially compromised credentials.

In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre’s Top 10 IT Security Actions^{Footnote 2} with an emphasis on the following topics.

• Phishing Awareness. This includes both identification of phishing but also procedures on what to do if a phishing email is received.
  • The Cyber Centre has several publications available on Phishing Awareness^{Footnote 3Footnote 4Footnote 5}.
  • Phishing Technical Controls.
• Multi-factor Authentication.
  • Where feasible, implement phishing-resistant MFA like FIDO2 security keys, Windows Hello, and Certificate Based Auth.
• Enforcing the Management of Administrative Privileges.
  • Minimize the number of administrators and privileged roles.
  • Conduct administrative activities on managed, hardened, and dedicated devices with restricted access to email, web browsing and outside connectivity.
  • Enable two-person integrity when resetting administrative accounts to minimize successful social engineering activities.
• Remote Access Management and Controls.
  • Network segmentation and demilitarized zones (DMZs).
    • Configure firewalls to selectively control and monitor traffic passed between zones.
• Implementing location and device based conditional access policies.
• Software Management and Deployment Controls.
• Business continuity planning, which is tested and validated.

If activity matching the content of this alert is discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.