Alert - Midnight Blizzard conducts targeted social engineering over Microsoft Teams

Number: AL23-013
Date: August 3, 2023


This Alert is intended for IT professionals and managers.


An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.


On August 2, 2023, Microsoft Threat Intelligence published an advisoryFootnote 1 highlighting details of targeted social engineering activity by threat actor Midnight Blizzard (previously tracked by Microsoft as NOBELIUM) taking place over Microsoft Teams. Using previously compromised Microsoft 365 tenants renamed to appear as technical support entities, Midnight Blizzard steals credentials by sending messages over Teams to engage with users and bypass multifactor authentication (MFA) prompts.

While this campaign has affected fewer than 40 organizations globally, the Cyber Centre has received reports of attempts within Canada.

Suggested actions

The Cyber Centre recommends organizations:

  • Review the Microsoft advisory and look for indicators of compromise to determine if related activity has occurred. If activity has been detected and a compromise has occurred:
    • Reimage compromised systems.
    • Reset all potentially compromised credentials.

In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre’s Top 10 IT Security ActionsFootnote 2 with an emphasis on the following topics.

  • Phishing Awareness. This includes both identification of phishing but also procedures on what to do if a phishing email is received.
  • Multi-factor Authentication.
    • Where feasible, implement phishing-resistant MFA like FIDO2 security keys, Windows Hello, and Certificate Based Auth.
  • Enforcing the Management of Administrative Privileges.
    • Minimize the number of administrators and privileged roles.
    • Conduct administrative activities on managed, hardened, and dedicated devices with restricted access to email, web browsing and outside connectivity.
    • Enable two-person integrity when resetting administrative accounts to minimize successful social engineering activities.
  • Remote Access Management and Controls.
    • Network segmentation and demilitarized zones (DMZs).
      • Configure firewalls to selectively control and monitor traffic passed between zones.
  • Implementing location and device based conditional access policies.
  • Software Management and Deployment Controls.
  • Business continuity planning, which is tested and validated.

If activity matching the content of this alert is discovered, recipients are encouraged to report via the My Cyber Portal, or email

Report a problem on this page

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, please contact us.

Date modified: