Russian state-sponsored hackers posed as technical support staff on Microsoft Teams to compromise dozens of global organizations, including government agencies.



Microsoft security researchers said on Wednesday that the “highly targeted” social engineering campaign was carried out by a Russian state-sponsored hacking group tracked by Microsoft as “Midnight Blizzard,” but more commonly known as APT29 or Cozy Bear. The group, which was linked to the infamous SolarWinds attack in 2020, is part of Russia’s Foreign Intelligence Service, or SVR, according to U.S. and U.K. law enforcement agencies.



The attacks, which began in late-May, saw the APT29 hackers use previously compromised Microsoft 365 accounts to create new technical support-themed domains. Using these domains, the hackers sent Microsoft Teams messages that aimed to manipulate users into granting approval for multi-factor authentication prompts, with the ultimate aim of gaining access to user accounts and exfiltrating sensitive information.

