Russian cyberspies defeat Microsoft number-matching 2FA policy with fake Teams messages

A Russian state-run cyberespionage group known as APT29 has been launching phishing attacks against organizations that use fake security messages over Microsoft Teams in an attempt to defeat Microsoft’s two-factor authentication (2FA) push notification method that relies on number matching. “Our current investigation indicates this campaign has affected fewer than 40 unique global organizations,” Microsoft said in a report. “The organizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.”

Midnight Blizzard is Microsoft’s newly designated name for APT29, a threat group that has been operating for many years and is considered by the US and UK governments to be the hacking arm of Russia's foreign intelligence service, the SVR. APT29, also known in the security industry as Cozy Bear or NOBELIUM, was behind the 2020 SolarWinds software supply chain attack that impacted thousands of organizations worldwide, but was also responsible for attacks against many government institutions, diplomatic missions and military industrial base companies from around the world over the years.

Latest campaign used hijacked Microsoft 365 tenants

APT29 gains access to systems and networks using a large variety of methods including through zero-day exploits, by abusing trust relationships between different entities inside cloud environments, by deploying phishing emails and web pages for popular services, through password spray and brute-force attacks, and through malicious email attachments and web downloads.

The latest spear-phishing attacks detected by Microsoft started in May and were likely part of a larger credential compromise campaign that first resulted in the hijacking of Microsoft 365 tenants that belonged to small businesses. Microsoft 365 tenants get a subdomain on the generally trusted onmicrosoft.com domain, so the attackers renamed the hijacked tenants to created subdomains with security and product related names to lend credibility to the next step in their social engineering attack.

The second step involved targeting accounts in other organizations for which they already obtained credentials or who had a passwordless authentication policy enabled. Both of these account types have enabled multi-factor authentication though what Microsoft calls number matching push notifications.

Number-matching versus device-generated codes

The 2FA push notification method involves users receiving a notification on their mobile device through an app in order to authorize a login attempt. It is a common implementation with many websites, but attackers started exploiting it with what is known as 2FA or MFA fatigue — an attack tactic that involve spamming a user whose credentials have been stolen with continuous push authorization requests until they think the system is malfunctioning and accept it, or worse, spamming users with 2FA phone calls in the middle of the night for those who have this option enabled.

Another common way to implement 2FA is by having the website require a code generated by an authenticator app on the user’s phone. However, attackers have found ways to bypass that method, too, by implementing phishing pages that act as reverse proxies between the user and the target website or service.

In response to these sort of attacks, Microsoft implemented another 2FA method that involves Microsoft websites sending a push notification to the Microsoft Authenticator app on the user’s mobile device that prompts the user to input a number inside the app. This number is displayed by the website during the authentication process. This method is called number matching and was made the default method for all Microsoft Authenticator push notifications starting May 8.

Now if an attacker tries to authenticate with a user’s stolen credentials, the user will be prompted in their Microsoft Authenticator app to input a number to complete the 2FA process, but the user doesn’t know the number displayed by the website because it’s not them who initiated the authentication in their browser. So APT29 set out to defeat this new challenge.

The way they achieved that was by contacting the targeted users over Microsoft Teams from accounts created under the onmicrosoft.com subdomains that they set up on the hijacked Microsoft 365 tenants. For example, victims saw Teams chat requests such as “Microsoft Identity Protection (External) wants to chat with you” coming from MicrosoftIdentityProtection@teamsprotection.onmicrosoft.com.

If the contact request was accepted, this was followed by a message telling the victim that changes were detected to the multi-factor authentication settings on their accounts and that they needed to open their Microsoft Authenticator app and type a certain number to help verify their identity. Of course, the number was the one that the attackers received from the Microsoft website and was needed to bypass the two-factor authentication to access the account.

“The actor then proceeds to conduct post-compromise activity, which typically involves information theft from the compromised Microsoft 365 tenant,” Microsoft researchers said. “In some cases, the actor attempts to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only.”

How to mitigate exploitation of Microsoft's number matching authentication

Microsoft’s recommendations for organizations to mitigate these attacks include:

• Deploying phishing-resistant authentication methods for users.
• Implementing Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
• Configure trusted Microsoft 365 organizations to limit which external domains are allowed or are blocked to chat and meet on Teams with their employees.
• Enable Microsoft 365 auditing to be able to perform forensic investigations in case of compromise.
• Choose the best access settings for external collaboration for your organization.
• Allow only known devices in their hybrid Azure AD environments.
• Educate users about social engineering and credential phishing attacks, including refraining from entering MFA codes sent via unsolicited messages.
• Educate Microsoft Teams users to verify "External" tagging on communication attempts from external entities.
• Educate users to review sign-in activity and mark suspicious sign-in attempts as "This wasn't me."
• Implement Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices.