Russian APT Exploits Microsoft Teams to Deliver Malware to Ukrainian Government

Russian state-sponsored hackers are exploiting Microsoft Teams to deliver malware to Ukrainian government officials, using sophisticated social engineering techniques that bypass traditional email security controls, according to a joint advisory from Microsoft and the Computer Emergency Response Team of Ukraine (CERT-UA).

The threat actor, tracked by Microsoft as Midnight Blizzard (formerly Nobelium), has been sending Teams messages from compromised accounts belonging to small businesses and academic institutions to government targets.

"The attackers are leveraging the trust inherent in Teams communications from seemingly legitimate external organizations," said Microsoft's threat intelligence team in a blog post. "The messages often relate to ongoing projects or diplomatic communications to increase their credibility."

The attack chain begins with a Teams message containing either a malicious link or a file attachment. When victims click the link or open the attachment, they're prompted to grant OAuth permissions to a malicious application, which then provides the attackers with persistent access to the victim's account.

In some cases, the attackers have used the compromised accounts to move laterally within organizations, accessing sensitive documents and communications related to military and diplomatic matters.

Microsoft has implemented additional protections in Teams to warn users about messages from external organizations and is working with affected customers to remediate compromises.

The advisory recommends that organizations review their Microsoft 365 external collaboration settings, implement conditional access policies, and train users to recognize suspicious Teams requests.