1.0 Introduction

A cyberespionage group known as APT29 or Midnight Blizzard has been launching phishing attacks against organizations, by using fake security messages via Microsoft Teams in an attempt to defeat Microsoft’s two-factor authentication (2FA) push notification method that relies on number matching. Based on Microsoft’s report, this campaign has affected fewer than 40 unique global organizations, likely indicate specific espionage objectives by this group directed at the government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.

Midnight Blizzard is Microsoft’s newly designated name for APT29, also known in the security industry as Cozy Bear or NOBELIUM, was behind the 2020 SolarWinds software supply chain attack that impacted thousands of organizations worldwide. This group was also responsible for attacks against many government institutions, diplomatic missions and military industrial base companies worldwide.

2.0 Impact
Post-compromise activity by the threat actor, typically involves information theft from the compromised Microsoft 365 tenant.

3.0 Techniques, Tactics and Procedures (TTPs)
In this activity, Midnight Blizzard either has obtained valid account credentials for the users they are targeting, or they are targeting users with passwordless authentication configured on their account – both of which require the user to enter a code that is displayed during the authentication flow into the prompt on the Microsoft Authenticator app on their mobile device.

After the threat actor attempted to authenticate to an account, where this form of MFA is required, the threat actor is then presented with a code that the targeted user would need to enter in their authenticator app on their smartphones. The targeted user receive the prompt for code entry on their device or smartphone. The threat actor then sends a message to the targeted user over Microsoft Teams eliciting the user to enter the code into the prompt on their device. The targeted users believe the message is unsuspiciously from Microsoft and enters the code given by the threat actor onto their devices or smartphones.

Step 1: Teams request to chat

The targeted user receive a Microsoft Teams message request from an external user masquerading as a Microsoft technical support or security team.

Figure 1: Screenshot of a Microsoft Teams message request from a Midnight Blizzard-controlled account

Step 2: Request authentication app action

If the targeted user accepts the message request, the user then receives a Microsoft Teams message from the attacker attempting to convince them to enter a code into the Microsoft Authenticator app on targeted user’s mobile device.

A black background with white text

Description automatically generatedFigure 2: A Microsoft Teams prompt with a code and instructions.

Step 3: Successful MFA authentication

If the targeted user accepts the message request and enters the code into the Microsoft Authenticator app, the threat actor is granted a token to authenticate as the targeted user. The actor gains access to the user’s Microsoft 365 account, having completed the authentication flow.

The threat actor then proceeds to conduct a post-compromise activity, which typically involves information theft from the compromised Microsoft 365 tenant. In some cases, the actor attempts to add a device to the organisation as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only.

4.0 Indicators of Compromise




Domain name

Malicious actor-controlled subdomain




Domain name

Malicious actor-controlled subdomain




Domain name

Malicious actor-controlled subdomain




Domain name

Malicious actor-controlled subdomain




Domain name

Malicious actor-controlled subdomain


Table 1: Indicators of Compromise (Malicious Domain names used in the attack)

A screenshot of a computer

Description automatically generated

Figure 3: Message sent by the threat actor

5.0 Recommendations
Microsoft recommends the following mitigations to reduce the risk of this threat:

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

6.0    References