On August 2, 2023, Microsoft reported a phishing and cyber espionage campaign led by a Russian State-sponsored group of cybercriminals using Microsoft Teams. The group goes by the name Cozy Bear (or Midnight Blizzard) and is known for the spectacular SolarWind cyberattack. The current campaign was launched in May of 2023 and was ongoing until recently.
The modus operandis follows a classic pattern. Attackers started by targeting Teams videoconferencing customer service employees, in order to gain control of their accounts. They then used the credentials to send phishing messages to their primary targets, redirecting them to fake login pages.
Cozy Bear managed to retrieve not only the victims’ user information but also their two-factor authentication codes, which granted them access to the target accounts. According to Microsoft, the attack struck forty organizations around the world. Among the victims are government agencies, NGOs, tech companies, IT departments and media.
The report does not name the victims, but explains that the type of target provides insight into the Russian State group’s “specific espionage goals”.