Microsoft Under Attack! 

Barely three weeks after Microsoft lost their keys to credibility over a Chinese hacking exploit that opened up its cloud email service, the company is now facing another threat. This time it’s from the Russians where state-sponsored hackers posing as tech support on Microsoft Teams compromised dozens of global enterprises and government agencies. 

According to security researchers at Microsoft, the highly targeted social engineering campaign was carried out by a so-called state-sponsored hacking group tracked to Russia. Microsoft said the group called itself Midnight Blizzard but was known commonly as APT29 or Cozy Bear. A similar group was said to be behind the Chinese hacking exploit as well. 

First it was Outlook Mail, now it’s Microsoft Teams

In the latest instance, the group has been linked to the SolarWinds attack of 2020 and has been marked out as a part of Russia’s foreign intelligence service, also known as the SVR, says a report published by TechCrunch quoting US and UK law enforcement authorities. In the earlier instance, Microsoft had initiated a problem to ascertain how hackers got their hands on a Microsoft signing key that helped them forge authentication tokens. 

The latest attack, which comes in the way of an IBM survey that put cost of data-breach at an all-time high in 2023 thus far, reportedly began in end-May where the hackers used previously compromised Microsoft 365 accounts to create new technical support-themed domains. They then used it to send Microsoft Teams messages aimed to manipulate users to approve some multi-factor authentication prompts, which gives them access to user accounts and data. 

Microsoft says if the target user accepted the message requests, the user would receive a Microsoft Teams message from the hacker attempting to convince them to enter a code into the Microsoft Authenticator app on their smartphone. And in case the victim followed these instructions, the hacker would get full access to the users’ account. 

Microsoft says things have since been fixed

The company noted that below 40 global organizations were targeted for a breach and this list included some government agencies, IT services companies, technology giants as well as those engaged in discrete manufacturing and the media. However, Microsoft did not name the companies that were targeted but did suggest that the objective was specifically espionage.  

The company also confirmed that it had taken mitigation measures to curtail the hackers from using the domains and is probing the incident further. Microsoft noted that it would also look into the hackers’ attacks to compromise legitimate Azure tenants and the use of hologlyph domains – those that take advantage of similarities in front letters to impersonate legitimate ones. 

However, there’s a credibility issue 

In a blog post related to the Chinese hacking, Microsoft sought to provide deeper analysis of “the observed actor techniques for obtaining unauthorized access to email data, tools, and unique infrastructure characteristics.” It said the investigation was ongoing to ascertain how the hackers got their hands on a Microsoft signing key that helped them forge authentication tokens. 

The company said hackers had gotten hold of the consumer signing keys (MSA key) used to secure email accounts such as Outlook.com. They said initially it was felt that the hackers were forging authentication tokens with an enterprise signing key that are used to secure enterprise-level email accounts.  However, it was found later they had used the consumer MSA key to forge the tokens that allowed them access to enterprise inboxes. 

Transparency is the need of the hour

Reports of two hacking attempts in less than a month doesn’t augur well for Microsoft, especially given the tough competition that it is facing with Google’s work suite. In fact, the company sought to take moral high ground after the Chinese instance stating that there was a need for transparency when it comes to cyber incidents in order to learn and get better. 

As we’ve stated previously, we cannot ignore the exponential rise and frequency of sophisticated attacks. The growing challenges we face only reinforce our commitment to greater information sharing and industry partnership, Microsoft said in its blog post.