NOBELIUM--aka Midnight Blizzard, APT29, Cozy Bear--the group behind the sprawling SolarWinds attack, is at it again, with a new attack utilizing Teams.

According to Microsoft research, the group is sending socially-engineered phishing messages and links via Microsoft Teams. This attack has hit 40 organizations.

Microsoft details the attack working like this: They take previously-compromised tenants, rename them and add an subdomain to add legitimacy. 

The idea is to get MFA codes. From there, they're able to get into accounts and do tons of damage. The attacker starts by sending a message to the targeted user, as shown here:



When the end-user says 'accept', they'll receive a second message. 

Screenshot of a Microsoft Teams prompt with an MFA code and instructions

Now, the hacker has the code and can use it for all sorts of post-compromise activity. 

We've talked increasingly about recent Teams threats. 

According to Forrester's latest Wave report, it is crucial to extend the same level of protection that is typically associated with email inboxes to these environments. However, when it comes to comprehensive defense against such attacks, there is only one solution that delivers the robust safeguards needed - Harmony Email & Collaboration.

Simply observing and taking note of suspicious activity for future analysis falls short in adequately thwarting these kinds of attacks.

They need to be blocked. With HEC, for chat applications, every file is scanned in a sandbox for malicious content and quarantined as necessary. Links within files and messages are scanned and quarantined.  and the sender is notified For file-sharing apps, we scan all uploaded files for malicious content and block malicious links within files. 

These attacks are only going to increase in intensity and scale.