APT29 Phishing Attacks via Microsoft Teams: Tactics, Techniques, and Prevention
Overview of the Threat Actor: APT29 (Midnight Blizzard)
APT29, also known as Midnight Blizzard, NOBELIUM, UNC2452, or Cozy Bear, is a highly sophisticated Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation (SVR). Midnight Blizzard (NOBELIUM) primarily targets governments, diplomatic entities, NGOs, and IT service providers in primarily the US and Europe. Their primary objective is to collect and exfiltrate intelligence through espionage of foreign interests and government. They utilise diverse initial access methods ranging from stolen credentials, domain takeover, phishing and exploitation of on-premises environments to laterally move to the cloud exploiting service providers’ trust chain to gain access to downstream customers.
How does APT29 use Microsoft Teams for phishing campaigns?
Step 1: Compromising and spoofing tenant domains
Midnight Blizzard begins operations by conducting password spray attacks that successfully breached an outdated, non-production test tenant account lacking multifactor authentication (MFA) or purchasing abandoned corporate domains on dark web markets. Furthermore, the threat actor increased stealth by routing their activity through a distributed residential proxy network. These tactics helped conceal their actions and allowed them to maintain the attack over time until they achieved access.
Between 2023-2025, the group systematically:
- Renamed compromised tenants to mimic trusted entities (e.g., “Contoso IT Support”)
- Created “. onmicrosoft[.]com” subdomains like “support-contoso[.]onmicrosoft.com”to bypass domain reputation checks
- Registered lookalike domains such as “microsoft-support[.]tech” with valid TLS certificates to host phishing pages
This infrastructure spoofing enabled the threat actor to send Teams messages appearing as internal notifications, with most of the targets perceiving them as legitimate due to Microsoft-branded headers.
Step 2: Social Engineering
During this step, Midnight Blizzard either has obtained valid account credentials for the users they are targeting, or they are targeting users with passwordless authentication configured on their account; both of which require the user to enter a code that is displayed during the authentication flow into the prompt on the Microsoft Authenticator app on their mobile device.
- Teams request to chat
The target receives a Microsoft Teams message request as a member of the security team or technical support team.

- Request authentication app action
Once the victim accepts the message request, the threat actor convinces the victim to input a code into their Microsoft Authenticator app.

- Successful MFA authentication
Once the user complies with the threat actor’s instructions, the threat actor gains the token to authenticate as the victim. This allows the threat actor to gain access to the victim’s M365 account. The threat actor then follows up with their post-compromise exploitation.
Step 3: Post-Compromise Exploitations
The threat actor then proceeds with post-compromise activity, which typically involves information theft from the compromised Microsoft 365 tenant.
- Malicious use of OAuth applications
Once the threat actor gains access to the targeted tenant as the victim, they create, modify, and grant high permissions to OAuth applications that they can misuse to hide malicious activity. The misuse of OAuth also enables threat actors to maintain access to applications, even if they lose access to the initially compromised account. Midnight Blizzard leveraged their initial access to identify and compromise any legacy test OAuth application that had elevated access to the Microsoft corporate environment. The threat actor creates additional malicious OAuth applications. In certain scenarios, the threat actor used the legacy test OAuth application to grant them the Office 365 Exchange Online “full_access_as_app” role, which allows access to mailboxes to gain access to tenant users and perform exfiltration and phishing.
Moreover, Midnight Blizzard has also been known to abuse OAuth applications in past attacks against other organisations using the “EWS.AccessAsUser.All” Microsoft Graph API role or the Exchange Online “ApplicationImpersonation” role to enable access to email.
For a deeper technical breakdown of how APT29 exploits cloud-native services and OAuth abuse in Microsoft 365, see our detailed analysis: APT29 in the Cloud – A Comprehensive Analysis of Threats and Detection Strategies.
- Adding Malicious Devices to Compromised Tenant
In other instances, Midnight Blizzard attempts to register a device with the organisation’s Microsoft Entra ID (formerly Azure Active Directory) in an effort to enrol it as a managed or compliant device. This tactic is designed to bypass Conditional Access policies that restrict access to sensitive resources such as email, SharePoint, or Teams to only devices that are marked as compliant or hybrid Azure AD-joined. By registering their own infrastructure as a managed device, the actor seeks to meet these conditional access requirements without raising immediate suspicion. When abused by a threat actor, it allows malicious endpoints to masquerade as trusted devices, thereby evading key security controls designed to prevent unauthorised access.
In newer campaigns, Volexity published a blog post on Russia-linked threat actors, tracked as UTA0352 and UTA035 conducting similar phishing campaigns abusing Microsoft OAuth 2.0 to target entities with ties to Ukraine.
Compared to Midnight Blizzard campaigns, the resource requested is for the Device Registration Service. This service is used by Windows to join new devices to Entra ID. The attacker uses this access to enrol a new device to the victim’s Entra ID. Using the ROADTools project, Volexity is able to replicate these steps to create a new token with full permissions for Microsoft Graph API access. This technique leverages a flaw in the Entra ID API design to grant an access token with a greater level of access than initially granted.
In one observed interaction, UTA0355 requested that the victim approve a two-factor authentication (2FA) prompt under the guise of accessing a SharePoint site tied to a conference. This step was critical for bypassing additional security controls enforced by the victim’s organisation, ultimately enabling the attacker to gain access to the victim’s email.
- Lateral Movement via Teams Chats
Once the threat actor successfully compromises an account, they are able to impersonate the legitimate user within the organisation. Leveraging this impersonation capability, the attacker continues their intrusion by sending phishing messages via Microsoft Teams to additional users listed in the tenant’s directory. These messages often appear as legitimate communications from a trusted colleague, increasing the likelihood of the recipients engaging with malicious content, such as links to credential-harvesting sites or weaponised attachments. This lateral movement technique allows the attacker to propagate their access within the environment, compromise more accounts, and establish a wider foothold for further exploitation or data exfiltration.
How to Detect APT29 Activity with InsiderSecurity CSX
Organisations can detect and respond to these threats with advanced cloud-native monitoring. InsiderSecurity CSX provides robust detection use cases, including:
- Abnormal Token tenant ID
- Concurrent Sessions
- MFA Request Bombing
- Unusual App Given Access (Azure, GWS, M365)
- Application Credentials Added
- Third Party Cloud Application Installed
- Email forwarding settings changed
- User Updated Mailbox Rules
- Email Data Theft
- Unusual Device
- Unusual ISP
Zero Trust Security and continuous behavioural analytics are essential in detecting modern identity-based attacks.
MITRE ATT&CK MAPPING

CONCLUSION
In conclusion, phishing campaigns via Microsoft Teams have emerged as a sophisticated and highly targeted attack vector exploited by the Russian APT group Midnight Blizzard (also known as APT29 or Cozy Bear) primarily for espionage purposes. Leveraging compromised Microsoft 365 tenants, the group crafts convincing social engineering lures that impersonate technical support to trick users into revealing credentials or approving multifactor authentication prompts, enabling persistent access to sensitive environments. To defend against such threats, organisations should enforce strict identity and access management controls, implement robust user awareness training focused on social engineering tactics, and apply continuous monitoring of authentication events and external collaboration activities to detect and mitigate unauthorised access attempts early.
Indicators of Compromise (IoCs)
Domain | Type | Description |
msftprotection.onmicrosoft[.]com | Domain name | Malicious actor-controlled subdomain |
mlcrosoftaccounts.onmicrosoft[.]com | Domain name | Malicious actor-controlled subdomain |
msftonlineservices.onmicrosoft[.]com | Domain name | Malicious actor-controlled subdomain |
msonlineteam.onmicrosoft[.]com | Domain name | Malicious actor-controlled subdomain |
msftservice.onmicrosoft[.]com | Domain name | Malicious actor-controlled subdomain |
noreplyteam.onmicrosoft[.]com | Domain name | Malicious actor-controlled subdomain |
accounteam.onmicrosoft[.]com | Domain name | Malicious actor-controlled subdomain |
teamsprotection.onmicrosoft[.]co | Domain name | Malicious actor-controlled subdomain |
identityVerification.onmicrosoft[.]com | Domain name | Malicious actor-controlled subdomain |
accountsVerification.onmicrosoft[.]com | Domain name | Malicious actor-controlled subdomain |
azuresecuritycenter.onmicrosoft[.]com | Domain name | Malicious actor-controlled subdomain |
teamsprotection.onmicrosoft[.]com | Domain name | Malicious actor-controlled subdomain |