{"id":9474,"date":"2023-09-05T18:12:25","date_gmt":"2023-09-05T12:42:25","guid":{"rendered":"https:\/\/threatcop.com\/blog\/?p=9474"},"modified":"2026-04-27T11:40:31","modified_gmt":"2026-04-27T06:10:31","slug":"microsoft-teams-phishing-attack","status":"publish","type":"post","link":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/","title":{"rendered":"Microsoft Teams Attacks: Hackers Pose as Tech Support"},"content":{"rendered":"<p style=\"text-align: justify;\"><span style=\"color: #000000;\"><span style=\"font-weight: 400;\">Microsoft has been a top impersonated brand for hackers in 2022. The company has been impersonated in phishing attacks more than any other brand, with <strong>phishers creating over 11,000 unique phishing URLs in the first half of 2022<\/strong>. <\/span><span style=\"font-weight: 400;\">This trend is likely to continue, as Microsoft remains a popular target for phishers.<\/span><span style=\"font-weight: 400;\"> In the most recent attack, a Russian government-linked hacking group targeted dozens of global organizations with a campaign to steal login credentials. <strong>Microsoft Threat Intelligence (MTI) said that the hacker known as Midnight Blizzard (previously tracked as NOBELIUM)<\/strong> is engaging users in Microsoft Teams chats pretending to be from technical support.<\/span><\/span><\/p><div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 ez-toc-wrap-center counter-hierarchy ez-toc-counter ez-toc-light-blue ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #414141;color:#414141\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #414141;color:#414141\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#How_did_Midnight_Blizzard_plan_the_Microsoft_Teams_phishing_attack\" >How did Midnight Blizzard plan the Microsoft Teams phishing attack?<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#Phishing_Attacks_Using_Security-Themed_Domain_Names\" >Phishing Attacks Using Security-Themed Domain Names&nbsp;<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#Social_Engineering_Attack_Chain_by_Midnight_Blizzard\" >Social Engineering Attack Chain by Midnight Blizzard<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#Step_1_Contacting_through_Teams_Chat\" >Step 1: Contacting through Teams Chat<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#Step_2_Request_for_Authentication_App_Action\" >Step 2: Request for Authentication App Action<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#Step_3_Successful_MFA_authentication\" >Step 3: Successful MFA authentication<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#What_do_we_know_about_Midnight_Blizzard\" >What do we know about Midnight Blizzard?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#Have_Microsoft_Teams_mitigated_the_phishing_attack\" >Have Microsoft Teams mitigated the phishing attack?<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#Book_a_Free_Demo_Call_with_Our_People_Security_Expert\" >Book a Free Demo Call with Our People Security Expert<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#Enter_your_details\" >Enter your details<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#FAQs_Microsoft_Teams_Phishing_Attack\" >FAQs: Microsoft Teams Phishing Attack<\/a><\/li><\/ul><\/nav><\/div>\n\n\n<style type=\"text\/css\">\n      @media print, screen and (max-width: 63.99875em){\n      .tnp-submit\n      width: 48%;\n      }\n      .wp-block-tnp-minimal{\n      padding: 20px;\n      }\n      .blog_para\n      margin-top: 4px !important;\n      line-height: 25px !important;\n      font-size: 15px !important;\n      }\n\n      }\n      .blog_para{\n      font-family: jost,sans-serif;\n      margin-top: 14px;\n      margin-bottom: 30px;\n      color: #fff;\n      font-size: 15px !important;\n      color: black !important;\n\n      }\n\n      .wp-block-tnp-minimal{\n      padding:20px;\n      border: 1px solid grey;\n      }\n\n      .tnp-submit a{\n        background: #1d58c7!important;\n    border-radius: 5px!important;\n    text-transform: inherit!important;\n    padding: 8px 25px!important;\n    font-weight: 600!important;\n    color: #fff!important;\n    width: 30%!important;\n    border: none;\n      }\n\n      .blog_get{\n      font-size: 24px !important;\n      font-weight: 700;\n      padding-bottom: 0px;\n    font-family: 'Poppins' !important;\n      margin-bottom: 0px;\n      margin-top: 0px;\n      margin-bottom: 0px !important;\n      color: white;\n          line-height: 30px;\n          color: white;\n      }\n      .row{\n             display: flex;\n    flex-wrap: wrap;\n    flex-direction: row;\n    padding: 25px 0px 25px 36px;\n    align-items: center;\n\n      }\n\n.colLeft{\n         flex-basis:50%;\n    -webkit-box-flex: 0;\n    flex-grow: 0;\n    max-width: 50%;\n    color: white;\n}\n    \n .colRight{\n       flex-basis: 45%;\n    -webkit-box-flex: 0;\n    flex-grow: 0;\n    max-width: 50%;\n }\n\n.tnp-subscription-minimal{\n    float: right;\n}\n<\/style>\n<div style=\"max-width: 741px; margin: 0 auto; background-image: url('https:\/\/awareness.threatcop.ai\/marketing\/linkedinlowerbanner.webp'); background-repeat: no-repeat; background-size: cover; background-position: center; \">\n<div class=\"row\">\n<div class=\"colLeft\">\n<p class=\"blog_get\" style=\"font-family: 'Poppins' !important; color: white !important\">Subscribe to Our Newsletter On Linkedin<\/p>\n<p class=\"blog_para\" style=\"font-size: 16px;font-family: 'Poppins' !important; color: white !important; margin-top: 10px; margin-bottom: 28px;line-height: 25px;\">Sign up to Stay Tuned with the Latest Cyber Security News and Updates<\/p>\n\n<div>\n<div class=\"tnp\" style=\"margin-bottom: 10px;\">\n            <form action=\"https:\/\/threatcop.com\/newsletter-thank-you\" method=\"get\" target=\"_blank\">\n<div class=\"tnp-submit\">\n                  <a class=\"libutton\" href=\"https:\/\/www.linkedin.com\/build-relation\/newsletter-follow?entityUrn=7062043746430783488\" target=\"_blank\" rel=\"noopener\">Subscribe<\/a><\/div>\n<\/form><\/div>\n<\/div>\n<\/div>\n<div class=\"colRight\">\n<div>\n<div class=\"tnp tnp-subscription-minimal \">\n            <img decoding=\"async\" src=\"https:\/\/awareness.threatcop.ai\/marketing\/newsletter-icon.webp\" class=\"img-fluid\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\"><span style=\"color: #000000;\">The <strong>attacks were highly targeted and affected fewer than 40 unique organizations.<\/strong> However, they highlight the ongoing threat posed by Microsoft impersonation attacks since at least late May 2023. The threat actor has targeted the government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors. The attacks are highly targeted, meaning that they are only being sent to a small number of organizations. This makes them more difficult to detect and defend against. The attackers are using a variety of social engineering techniques to trick users into providing their credentials, including sending fake emails and creating fake Microsoft Teams chats.<\/span><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><span style=\"color: #000000;\">Read More: <\/span><span style=\"color: #183994;\"><a style=\"color: #183994;\" href=\"https:\/\/threatcop.com\/blog\/microsoft-impersonation\/\">How has Microsoft Impersonation Become a Major Concern for CISOs?<\/a><\/span><\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_did_Midnight_Blizzard_plan_the_Microsoft_Teams_phishing_attack\"><\/span><b>How did Midnight Blizzard plan the Microsoft Teams phishing attack?<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"color: #000000;\"><span style=\"font-weight: 400;\">Midnight Blizzard is a cybercriminal group that often uses different methods to gain unauthorized access to their target&#8217;s systems. These <\/span><b>methods include stealing authentication tokens and tricking users with spear-phishing emails<\/b><span style=\"font-weight: 400;\"> to reveal their login credentials. Microsoft researchers have noticed that since late May 2023, Midnight Blizzard has been particularly<\/span><b> focused on credential attacks or token theft<\/b><span style=\"font-weight: 400;\">, where they try to obtain and abuse login credentials. It was claimed by the tech giant that these attacks are part of the overall campaigns carried out by the threat actor.<\/span><\/span><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"color: #000000;\"><span style=\"font-weight: 400;\">According to Microsoft&#8217;s January financial statement, Teams is their proprietary business communication platform, and<\/span><b> it boasts over 280 million active users.<\/b><span style=\"font-weight: 400;\"> MFA is a commonly recommended security measure to safeguard against credential hacking and theft. However, the fact that hackers are targeting Teams indicates that they are discovering ways to bypass this security measure.<\/span><\/span><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Phishing_Attacks_Using_Security-Themed_Domain_Names\"><\/span><b>Phishing Attacks Using Security-Themed Domain Names<\/b><b>&nbsp;<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"color: #000000;\"><span style=\"font-weight: 400;\">The threat actor has been <\/span><b style=\"color: #000000;\">using previously compromised Microsoft 365 tenants owned by small businesses to create new domains<\/b><span style=\"font-weight: 400;\"> that appear as technical support entities. They use these domains to send Teams messages to targeted organizations in an attempt to steal credentials. The attackers send messages, <\/span><b style=\"color: #000000;\">asking the user to approve <\/b><span style=\"color: #000000;\"><b>multi-factor<\/b><\/span><b style=\"color: #000000;\"> authentication (MFA) prompts.<\/b><span style=\"font-weight: 400;\"> When the user approves the MFA prompt, the attackers gain access to the user&#8217;s account.<\/span><\/span><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"color: #000000;\"><span style=\"font-weight: 400;\">The actor leverages previously compromised Microsoft 365 tenants to launch social engineering attacks. They rename the compromised tenant, <\/span><b>create a new onmicrosoft.com subdomain with security-themed keywords<\/b><span style=\"font-weight: 400;\">, and add a new user associated with that domain to send the outbound message. The ongoing investigation by Microsoft includes looking into the initial attacks on genuine Azure tenants and the use of<\/span><b> homoglyph domain names in social engineering<\/b> <b>tricks.<\/b><span style=\"font-weight: 400;\">&nbsp;<\/span><\/span><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"1512\" height=\"1512\" src=\"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2023\/09\/Homoglyph-Domain-Attack.jpg\" alt=\"Homoglyph Domain Attack\" class=\"wp-image-9563\"\/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Social_Engineering_Attack_Chain_by_Midnight_Blizzard\"><\/span><b>Social Engineering Attack Chain by Midnight Blizzard<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">During this tactic, <strong>Midnight Blizzard gains access to valid account credentials of their targeted users or focuses on users with passwordless authentication.<\/strong> Where a code is displayed during the login process and needs to be entered in the Microsoft Authenticator app on their mobile device.<\/span><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"color: #000000;\"><span style=\"font-weight: 400;\">Once the<\/span><span style=\"font-weight: 400;\">y attempt to log in to an account with this form of MFA, the threat actor is shown a code that the user should enter in their authenticator app. At the same time, the user receives a prompt on their mobile device to input the code. Taking advantage of this situation, the attacker contacts the targeted user through Microsoft Teams, persuading them to enter the code into the prompt on their device. Let us understand the steps in brief:<\/span><\/span><\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Step_1_Contacting_through_Teams_Chat\"><\/span><b>Step 1: Contacting through Teams Chat<\/b><span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<figure class=\"wp-block-image alignnone size-full wp-image-9475\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"449\" src=\"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2023\/09\/Fig1-Midnight-Blizzard-request-Microsoft-Teams.jpg\" alt=\"Midnight Blizzard hacker's message on teams\" class=\"wp-image-9475\"\/><figcaption class=\"wp-element-caption\"><span style=\"color: #000000;\">Microsoft Teams message request from a Midnight Blizzard-controlled account<\/span><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">The target user might receive a message request on Microsoft Teams, seemingly from an external user posing as a technical support or security team.<\/span><\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Step_2_Request_for_Authentication_App_Action\"><\/span><span style=\"color: #000000;\"><b>Step 2: Request for Authentication App Action<\/b><\/span><span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">Once the targeted user accepts the message request, they receive a message through Microsoft Teams from the attacker. The message aims to persuade the user to enter a code into the Microsoft Authenticator app on their mobile device.<\/span><\/p>\n\n\n\n<figure class=\"wp-block-image alignnone size-full wp-image-9478\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"91\" src=\"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2023\/09\/Fig2-Microsoft-Teams-prompt-Midnight-Blizzard.jpg\" alt=\"A Microsoft Teams prompt with a code and instructions\n\" class=\"wp-image-9478\"\/><figcaption class=\"wp-element-caption\"><span style=\"color: #000000;\">A Microsoft Teams prompt with a code and instructions<\/span><\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Step_3_Successful_MFA_authentication\"><\/span><strong><span style=\"color: #000000;\">Step 3: Successful MFA authentication<\/span><\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"color: #000000;\">If the targeted user falls for the message request and enters the code into the Microsoft Authenticator app, the cybercriminal gains a token to impersonate the user. This grants the attacker access to the user&#8217;s Microsoft 365 account, completing the authentication process.<\/span><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"color: #000000;\">With unauthorized access, the attacker then engages in post-compromise activities, typically involving stealing information from the compromised Microsoft 365 account. In some instances, the attacker may try to add a device to the organization as a managed device through Microsoft Entra ID (formerly Azure Active Directory). This move is likely an attempt to bypass conditional access policies that restrict access to specific resources only to managed devices.<\/span><\/p>\n\n\n<div class=\"wp-block-image size-full wp-image-9479\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"597\" height=\"209\" src=\"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2023\/09\/Fig3-Message-sent-by-Midnight-Blizzard-Microsoft-Purview-1-1.jpg\" alt=\"Fig3-Message-sent-by-Midnight-Blizzard-Microsoft-Purview-1\" class=\"wp-image-9479\"\/><figcaption class=\"wp-element-caption\"><span style=\"color: #000000;\">Message sent by Midnight Blizzard Microsoft Purview<\/span><\/figcaption><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_do_we_know_about_Midnight_Blizzard\"><\/span><b>What do we know about Midnight Blizzard?<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"font-weight: 400; color: #000000;\">Midnight Blizzard (NOBELIUM) is a threat actor based in Russia, specifically attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation (SVR).<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400; color: #000000;\">They have a well-established history of targeting governments, diplomatic entities, non-government organizations (NGOs), and IT service providers primarily in the US and Europe.<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400; color: #000000;\">Since early 2018, their main objective has been to collect intelligence through dedicated espionage of foreign interests.<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400; color: #000000;\">Midnight Blizzard employs diverse methods to gain initial access, including stolen credentials, supply chain attacks, and exploiting on-premises environments to move to the cloud.<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400; color: #000000;\">They also take advantage of trust chains within service providers to access downstream customers and use AD FS malware such as FOGGYWEB and MAGICWEB.<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400; color: #000000;\">The threat actor is persistent and consistent in their operational targeting, and their objectives rarely change.<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400; color: #000000;\">Security vendors track them under different names, such as APT29, UNC2452, and Cozy Bear.<\/span><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Have_Microsoft_Teams_mitigated_the_phishing_attack\"><\/span><b><span style=\"color: #000000;\">Ha<\/span>ve M<span style=\"color: #000000;\">icrosoft Teams mitigated the phishing attack?<\/span><\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">Microsoft has claimed that they have mitigated the actor from using the domains and continues to investigate the matter further. It has recommended the following measures to reduce the risk of this threat:<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"font-weight: 400; color: #000000;\">Pilot and deploy phishing-resistant authentication methods for users.<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400; color: #000000;\">Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users accessing critical apps.<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400; color: #000000;\">Specify trusted Microsoft 365 organizations to define allowed or blocked external domains for chat and meet.<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400; color: #000000;\">Keep Microsoft 365 auditing enabled to investigate audit records if needed.<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400; color: #000000;\">Understand and select appropriate access settings for external collaboration in your organization.<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400; color: #000000;\">Allow only known devices adhering to Microsoft&#8217;s recommended security baselines.<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400; color: #000000;\">Educate Microsoft Teams users to verify &#8216;External&#8217; tags on communication attempts from external entities, be cautious about sharing information, and never share account details or authorize sign-in requests via chat.<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400; color: #000000;\">Encourage users to review sign-in activity and report suspicious sign-in attempts as &#8220;This wasn&#8217;t me.&#8221;<\/span><\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image wp-image-9480\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"843\" height=\"778\" src=\"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2023\/09\/recommandarion.jpg\" alt=\"Microsoft released indicators of compromised account \" class=\"wp-image-9480\"\/><figcaption class=\"wp-element-caption\">Microsoft released indicators of compromised account<\/figcaption><\/figure>\n<\/div>\n\n<style type=\"text\/css\">\n      @media print, screen and (max-width: 63.99875em){\n      .tnp-submit\n      width: 48%;\n      }\n      .wp-block-tnp-minimal{\n      padding: 20px;\n      }\n      .blog_para\n      margin-top: 4px !important;\n      line-height: 25px !important;\n      font-size: 15px !important;\n      }\n\n      }\n      .blog_para{\n      font-family: jost,sans-serif;\n      margin-top: 14px;\n      margin-bottom: 30px;\n      color: #fff;\n      font-size: 15px !important;\n      color: black !important;\n\n      }\n\n      .wp-block-tnp-minimal{\n      padding:20px;\n      border: 1px solid grey;\n      }\n\n      .tnp-submit a{\n        background: #1d58c7!important;\n    border-radius: 5px!important;\n    text-transform: inherit!important;\n    padding: 8px 25px!important;\n    font-weight: 600!important;\n    color: #fff!important;\n    width: 30%!important;\n    border: none;\n      }\n\n      .blog_get{\n      font-size: 24px !important;\n      font-weight: 700;\n      padding-bottom: 0px;\n    font-family: 'Poppins' !important;\n      margin-bottom: 0px;\n      margin-top: 0px;\n      margin-bottom: 0px !important;\n      color: white;\n          line-height: 30px;\n          color: white;\n      }\n      .row{\n             display: flex;\n    flex-wrap: wrap;\n    flex-direction: row;\n    padding: 25px 0px 25px 36px;\n    align-items: center;\n\n      }\n\n.colLeft{\n         flex-basis:50%;\n    -webkit-box-flex: 0;\n    flex-grow: 0;\n    max-width: 50%;\n    color: white;\n}\n    \n .colRight{\n       flex-basis: 45%;\n    -webkit-box-flex: 0;\n    flex-grow: 0;\n    max-width: 50%;\n }\n\n.tnp-subscription-minimal{\n    float: right;\n}\n<\/style>\n<div style=\"max-width: 741px; margin: 0 auto; background-image: url('https:\/\/awareness.threatcop.ai\/marketing\/linkedinlowerbanner.webp'); background-repeat: no-repeat; background-size: cover; background-position: center; \">\n<div class=\"row\">\n<div class=\"colLeft\">\n<p class=\"blog_get\" style=\"font-family: 'Poppins' !important; color: white !important\">Subscribe to Our Newsletter On Linkedin<\/p>\n<p class=\"blog_para\" style=\"font-size: 16px;font-family: 'Poppins' !important; color: white !important; margin-top: 10px; margin-bottom: 28px;line-height: 25px;\">Sign up to Stay Tuned with the Latest Cyber Security News and Updates<\/p>\n\n<div>\n<div class=\"tnp\" style=\"margin-bottom: 10px;\">\n            <form action=\"https:\/\/threatcop.com\/newsletter-thank-you\" method=\"get\" target=\"_blank\">\n<div class=\"tnp-submit\">\n                  <a class=\"libutton\" href=\"https:\/\/www.linkedin.com\/build-relation\/newsletter-follow?entityUrn=7062043746430783488\" target=\"_blank\" rel=\"noopener\">Subscribe<\/a><\/div>\n<\/form><\/div>\n<\/div>\n<\/div>\n<div class=\"colRight\">\n<div>\n<div class=\"tnp tnp-subscription-minimal \">\n            <img decoding=\"async\" src=\"https:\/\/awareness.threatcop.ai\/marketing\/newsletter-icon.webp\" class=\"img-fluid\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\"><span style=\"color: #000000;\"><span style=\"font-weight: 400;\">Organizations should also educate users about social engineering and phishing attacks, including avoiding entering MFA codes from unsolicited messages. The entire security posture of an organization can be considerably improved by informing and educating employees about the dangers of phishing campaigns and other social engineering techniques. <\/span><b>Prioritizing <\/b><a style=\"color: #000000;\" href=\"https:\/\/threatcop.com\/\"><b>people security management<\/b><\/a><b>as a vital component of securing an organization&#8217;s digital infrastructure is crucial in the field of cybersecurity.<\/b> <span style=\"font-weight: 400;\"><\/span><a href=\"https:\/\/threatcop.com\/threatcop-security-awareness-training\"><span style=\"font-weight: 400;\">Threatcop\u2019s <\/span><b>phishing awareness and simulation<\/b> <\/a><span style=\"font-weight: 400;\">can be very helpful as employees can be vulnerable links because the success of a phishing attack totally relies on the unawareness and lack of vigil of an employee.\u00a0<\/span><\/span><\/p>\n\n\n\n<!DOCTYPE html>\n<html lang=\"en\">\n\n<head>\n    <meta charset=\"UTF-8\">\n    <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n    <title>Document<\/title>\n<\/head>\n\n<style>\n    .interestedBtn {\n        width: 80% !important;\n        box-sizing: border-box !important;\n        display: inline-block !important;\n        padding: 11px !important;\n        border: 1px !important;\n        border-color: #ddd !important;\n        margin-top: 10px !important;\n        background-color: #183e8b !important;\n        background-image: none !important;\n        text-shadow: none !important;\n        color: #fff !important;\n        font-size: 14px !important;\n        line-height: 20px !important;\n        border-radius: 5px !important;\n        margin: 0 !important;\n        cursor: pointer !important;\n        box-shadow: 0px 4.66px 22.99px 0px rgba(0, 0, 0, 0.10);;\n    }\n\n\n        .formSec .formSecTwo{\n            padding-top: 15px !important;\n            margin-bottom: 30px !important;\n        }\n\n\n    .tnp-email {\n        width: 80% !important;\n        box-sizing: border-box;\n        padding: 8px 10px;\n        display: inline-block;\n        border: 1px solid #ced4da;\n        background: #fff;\n        color: #000 !important;\n        font-size: 13px;\n        line-height: 20px;\n        border-radius: 2px;\n        padding-right: 30px;\n        margin-bottom: 0px;\n    }\n\n    .formSec {\n        border: 1px solid #ced4da;\n        float: left !important;\n        width: 55% !important;\n    }\n\n    .mainBox {\n       \/* border: 1px solid #183e8b;*\/\n         background: white;\n        max-width: 600px !important;\n        margin: 0 auto !important;\n        padding: 20px !important;\n        font-family: Arial, Helvetica, sans-serif !important;\n    }\n\n    .boxDiv {\n        display: flex !important;\n    }\n\n    .boxConsult {\n        float: left !important;\n        width: 45% !important;\n        padding: 10px !important;\n    }\n\n    .formSecTwo {\n        text-align:center !important;\n        width: 100% !important;\n    }\n\n    .formHeading {\n        font-family: Arial, Helvetica, sans-serif;\n        margin-top: 0px;\n        font-weight: 700;\n        line-height: 25px;\n        font-size: 18px !important;\n        \n       margin-bottom: 60px !important;\n       color: #000!important;\n          margin-top: 5px !important;\n    }\n\n    .fieldHeading {\n        margin: 0 !important;\n        font-size: 13px !important;\n        text-align: left !important;\n        margin: 0px 39px 2px 93px !important;\n        font-weight: 500 !important;\n    }\n\n    .image {\n        max-width:90% !important;\n        height: auto !important;\n    }\n\n     .email-icon {\n            position: absolute;\n            right: 50px;\n             top: 20px;\n            transform: translateY(-50%);\n            pointer-events: none; \n        }\n\n          .email-container{\n             position: relative;\n         \n        }\n       \n\n        .email-icon img{\n                 width: 15px;\n        }\n\n\n         input::placeholder {\n            color:#495057;\n        }\n\n\n     ::placeholder {\n        color: #495057;\n    }\n\n        ::-ms-input-placeholder { \n          color:#495057;\n        }\n\n\n        input:-webkit-autofill {\n            background-color: transparent !important;\n            -webkit-box-shadow: 0 0 0px 1000px white inset !important; \n            box-shadow: 0 0 0px 1000px white inset !important;\n            color: #495057 !important; \n        }\n\n        \n        input {\n            color:#495057 !important;\n        }\n\n\n    @media screen and (max-width: 480px) {\n        .boxDiv {\n            display: block !important;\n            padding: 15px !important;\n         \n        }\n\n        .image{\n        width: 80% !important;\n         margin-bottom: 14px;\n        }\n        .fieldHeading {\n            text-align: left !important;\n            margin: unset !important;\n        }\n\n        .boxConsult {\n            width: unset !important;\n            float: none !important;\n        }\n\n        .mainBox {\n            border: unset !important;\n        }\n\n        .formSec {\n            float: unset !important;\n            width: 100% !important;\n        }\n\n        .formSecTwo {\n            text-align: center !important;\n        }\n\n        .tnp-email {\n            width: 90% !important;\n        }\n\n        .formHeading {\n            margin-bottom: unset !important;\n        }\n\n         .email-icon {\n            position: absolute;\n            right: 25px;\n            top: 58%;\n            transform: translateY(-50%);\n            pointer-events: none; \/* Make sure the icon doesn't block clicking on the input *\/\n        }\n       \n        .email-container{\n             position: relative;\n        }\n\n    }\n<\/style>\n\n<body>\n\n    <div class=\"mainBox\" box-sizing:=\"\" border-box;=\"\">\n\n        <div class=\"boxDiv\">\n\n            <div class=\"boxConsult\">\n                <div>\n                    <h3 class=\"formHeading\" style=\" font-size: 16px !important;\"><span class=\"ez-toc-section\" id=\"Book_a_Free_Demo_Call_with_Our_People_Security_Expert\"><\/span>\n                        Book a Free Demo Call with Our People Security Expert<span class=\"ez-toc-section-end\"><\/span><\/h3>\n                <\/div>\n                <img decoding=\"async\" src=\"https:\/\/awareness.threatcop.ai\/threatcop_blog\/form.svg\" class=\"image\">\n            <\/div>\n\n            <div class=\"formSec\">\n                <div class=\" formSecTwo\">\n                    <h4 style=\"margin-top: 0; font-size: 16px !important;\"><span class=\"ez-toc-section\" id=\"Enter_your_details\"><\/span>Enter your details<span class=\"ez-toc-section-end\"><\/span><\/h4>\n                    <div class=\"tnp tnp-subscription-minimal\">\n                        <form action=\"https:\/\/threatcop.com\/thankyou-blog\" method=\"get\" target=\"_blank\">\n                            <div class=\"email-container\" style=\"margin-bottom:20px;\">\n\n                                <input class=\"tnp-email\" type=\"text\" required=\"\" name=\"FullName\" value=\"\"\n                                    placeholder=\"Full Name\">\n                                    <span class=\"email-icon\"><img decoding=\"async\" src=\"https:\/\/awareness.threatcop.ai\/threatcop_blog\/icon01.svg\" class=\"img-fluid\" \/><\/span>\n                            <\/div>\n\n                            <div class=\"email-container\" style=\"margin-bottom:20px;\">\n                               \n                                <input class=\"tnp-email\" type=\"email\" required=\"\" name=\"email\" value=\"\"\n                                    placeholder=\"Corporate Email Id\">\n                                     <span class=\"email-icon\"><img decoding=\"async\" src=\"https:\/\/awareness.threatcop.ai\/threatcop_blog\/icon02.svg\" class=\"img-fluid\" \/><\/span>\n                            <\/div>\n\n                            <div class=\"email-container\" style=\"margin-bottom:20px;\">\n                               \n                                <input class=\"tnp-email\" type=\"text\" required=\"\" name=\"CompanyName\" value=\"\"\n                                    placeholder=\"Company Name\">\n                                    <span class=\"email-icon\"><img decoding=\"async\" src=\"https:\/\/awareness.threatcop.ai\/threatcop_blog\/icon03.svg\" class=\"img-fluid\" \/><\/span>\n\n                            <\/div>\n\n                            <div class=\"email-container\">\n                               \n                                <input class=\"tnp-email\" type=\"number\" required=\"\" name=\"Phone\" value=\"\"\n                                    placeholder=\"Phone No.\"><br>\n                                    <span class=\"email-icon\"><img decoding=\"async\" src=\"https:\/\/awareness.threatcop.ai\/threatcop_blog\/icon04.svg\" class=\"img-fluid\" \/><\/span>\n                            <\/div>\n                            <input type=\"hidden\" name=\"BlogForm\" value=\"BlogForm\"><br>\n                            <input class=\"tnp-submit interestedBtn\" name=\"submit\" type=\"submit\"\n                                value=\"SUBMIT\">\n\n                        <\/form>\n                    <\/div>\n                <\/div>\n            <\/div>\n\n        <\/div>\n    <\/div>\n\n<\/body>\n\n<\/html>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"color: #000000;\"><span style=\"font-weight: 400;\">To fulfill the need for security awareness training, organizations can use tools like <\/span><b>Threatcop Security Awareness Training <\/b><span style=\"font-weight: 400;\">(<\/span><a style=\"color: #000000;\" href=\"https:\/\/bit.ly\/3rxPfeI\"><b>TSAT<\/b><\/a><span style=\"font-weight: 400;\">). This will help you to increase employees\u2019 productivity due to reduced time spent handling security incidents and recovering from cyberattacks. Invest in tools that equip your employees with the knowledge and skills to identify and mitigate potential security risks, reducing the organization&#8217;s vulnerability to cyber threats.<\/span><\/span><\/p>\n\n\n<p><span style=\"color: #000000;\"><strong>Also read:<\/strong> <span style=\"color: #183994;\"><a style=\"color: #183994;\" href=\"https:\/\/threatcop.com\/blog\/updates-on-microsoft-outage\/\">Updates on Microsoft Outage 2024<\/a><\/span><\/span><\/p>\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"FAQs_Microsoft_Teams_Phishing_Attack\"><\/span><b>FAQs: Microsoft Teams Phishing Attack<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<div class=\"schema-faq wp-block-yoast-faq-block\"><div class=\"schema-faq-section\" id=\"faq-question-1694411732881\"><strong class=\"schema-faq-question\"><strong>Who is the threat actor behind the Microsoft Teams phishing attack?<\/strong><\/strong> <p class=\"schema-faq-answer\">The threat actor behind the Microsoft Teams phishing attack is infamously known as <strong>Midnight Blizzard (previously tracked as NOBELIUM)<\/strong>. They are a Russia-based cybercriminal group attributed to the Foreign Intelligence Service of the Russian Federation (SVR).<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1694411864439\"><strong class=\"schema-faq-question\"><strong>Who are the main targets of the phishing attack?<\/strong><\/strong> <p class=\"schema-faq-answer\">The main targets of the phishing attack were dozens of global organizations, including governments, non-government organizations (NGOs), IT services, technology companies, discrete manufacturing, and media sectors.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1694411890026\"><strong class=\"schema-faq-question\"><strong>How did Midnight Blizzard carry out the Microsoft Teams phishing attack?<\/strong><\/strong> <p class=\"schema-faq-answer\">Midnight Blizzard used compromised Microsoft 365 tenants owned by small businesses to create new domains that appeared as technical support entities. They sent Teams messages to targeted organizations, pretending to be from technical support, and asked users to approve multifactor authentication (MFA) prompts. When the users approved the MFA prompt, the attackers gained access to their accounts.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1694411918741\"><strong class=\"schema-faq-question\"><strong>What is Midnight Blizzard&#8217;s history of targeting and operation?<\/strong><\/strong> <p class=\"schema-faq-answer\">Since early 2018, Midnight Blizzard has been consistently and persistently targeting governments, diplomatic entities, NGOs, and IT service providers primarily in the US and Europe. Their primary objective is to collect intelligence through espionage of foreign interests.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1694412009990\"><strong class=\"schema-faq-question\"><strong>What measures can organizations take to improve their security against such attacks?<\/strong><\/strong> <p class=\"schema-faq-answer\">Organizations should implement security measures recommended by Microsoft, including using phishing-resistant authentication methods, educating users about phishing attacks, and reviewing sign-in activity regularly. Additionally, they can invest in security awareness training tools like Threatcop Security Awareness Training (<a href=\"https:\/\/threatcop.com\/threatcop-security-awareness-training\"><strong>TSAT<\/strong><\/a>) to equip employees with the knowledge and skills to identify and mitigate potential security risks.<\/p> <\/div> <\/div>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft has been a top impersonated brand for hackers in 2022. The company has been impersonated in phishing attacks more than any other brand, with phishers creating over 11,000 unique phishing URLs in the first half of 2022. This trend is likely to continue, as Microsoft remains a popular target for phishers. In the most [&hellip;]<\/p>\n","protected":false},"author":5,"featured_media":9482,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[41,43],"tags":[],"class_list":["post-9474","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-attacks","category-social-engineering"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Hackers Impersonate Technical Support in Microsoft Teams Attacks<\/title>\n<meta name=\"description\" content=\"Microsoft informed that the Midnight Blizzard hacker is engaging users in Microsoft Teams chats pretending to be technical support.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Hackers Impersonate Technical Support in Microsoft Teams Attacks\" \/>\n<meta property=\"og:description\" content=\"Microsoft informed that the Midnight Blizzard hacker is engaging users in Microsoft Teams chats pretending to be technical support.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/\" \/>\n<meta property=\"og:site_name\" content=\"Threatcop\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/people\/Threatcop\/100083109892339\/\" \/>\n<meta property=\"article:published_time\" content=\"2023-09-05T12:42:25+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-27T06:10:31+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2023\/09\/CRV-2374-Webiste-Blog-Image-microsoft-team-phishing.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"600\" \/>\n\t<meta property=\"og:image:height\" content=\"576\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Dip Jung Thapa\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatcop\" \/>\n<meta name=\"twitter:site\" content=\"@threatcop\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Dip Jung Thapa\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/\"},\"author\":{\"name\":\"Dip Jung Thapa\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#\\\/schema\\\/person\\\/75585994ee4cb3e8b24fe7375dc85ee8\"},\"headline\":\"Microsoft Teams Attacks: Hackers Pose as Tech Support\",\"datePublished\":\"2023-09-05T12:42:25+00:00\",\"dateModified\":\"2026-04-27T06:10:31+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/\"},\"wordCount\":1606,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/09\\\/CRV-2374-Webiste-Blog-Image-microsoft-team-phishing.jpg\",\"articleSection\":[\"Cyber Attacks\",\"Social Engineering\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/#respond\"]}]},{\"@type\":[\"WebPage\",\"FAQPage\"],\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/\",\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/\",\"name\":\"Hackers Impersonate Technical Support in Microsoft Teams Attacks\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/09\\\/CRV-2374-Webiste-Blog-Image-microsoft-team-phishing.jpg\",\"datePublished\":\"2023-09-05T12:42:25+00:00\",\"dateModified\":\"2026-04-27T06:10:31+00:00\",\"description\":\"Microsoft informed that the Midnight Blizzard hacker is engaging users in Microsoft Teams chats pretending to be technical support.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/#breadcrumb\"},\"mainEntity\":[{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/#faq-question-1694411732881\"},{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/#faq-question-1694411864439\"},{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/#faq-question-1694411890026\"},{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/#faq-question-1694411918741\"},{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/#faq-question-1694412009990\"}],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/#primaryimage\",\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/09\\\/CRV-2374-Webiste-Blog-Image-microsoft-team-phishing.jpg\",\"contentUrl\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/09\\\/CRV-2374-Webiste-Blog-Image-microsoft-team-phishing.jpg\",\"width\":600,\"height\":576},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Microsoft Teams Attacks: Hackers Pose as Tech Support\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/\",\"name\":\"Threatcop\",\"description\":\"Cybersecurity Blogs, News, Updates, and Articles\",\"publisher\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#organization\",\"name\":\"Threatcop\",\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/threatcop-logo-black-1.png\",\"contentUrl\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/threatcop-logo-black-1.png\",\"width\":432,\"height\":102,\"caption\":\"Threatcop\"},\"image\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/people\\\/Threatcop\\\/100083109892339\\\/\",\"https:\\\/\\\/x.com\\\/threatcop\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/threatcop\\\/\",\"https:\\\/\\\/www.instagram.com\\\/threatcop_official\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#\\\/schema\\\/person\\\/75585994ee4cb3e8b24fe7375dc85ee8\",\"name\":\"Dip Jung Thapa\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/avatar_user_5_1698662450.jpeg\",\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/avatar_user_5_1698662450.jpeg\",\"contentUrl\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/avatar_user_5_1698662450.jpeg\",\"caption\":\"Dip Jung Thapa\"},\"description\":\"Co-Founder &amp; COO at Threatcop\u00a0 Department: Operations and Marketing Dip Jung Thapa, Chief Operating Officer (COO) of Threatcop, a leading cybersecurity company dedicated to enhancing people security management for businesses. With a profound understanding of cybersecurity issues, Dip plays a pivotal role in driving Threatcop's mission to safeguard people's digital lives.\u00a0\"},{\"@type\":\"Question\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/#faq-question-1694411732881\",\"position\":1,\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/#faq-question-1694411732881\",\"name\":\"Who is the threat actor behind the Microsoft Teams phishing attack?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"The threat actor behind the Microsoft Teams phishing attack is infamously known as <strong>Midnight Blizzard (previously tracked as NOBELIUM)<\\\/strong>. They are a Russia-based cybercriminal group attributed to the Foreign Intelligence Service of the Russian Federation (SVR).\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/#faq-question-1694411864439\",\"position\":2,\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/#faq-question-1694411864439\",\"name\":\"Who are the main targets of the phishing attack?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"The main targets of the phishing attack were dozens of global organizations, including governments, non-government organizations (NGOs), IT services, technology companies, discrete manufacturing, and media sectors.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/#faq-question-1694411890026\",\"position\":3,\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/#faq-question-1694411890026\",\"name\":\"How did Midnight Blizzard carry out the Microsoft Teams phishing attack?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Midnight Blizzard used compromised Microsoft 365 tenants owned by small businesses to create new domains that appeared as technical support entities. They sent Teams messages to targeted organizations, pretending to be from technical support, and asked users to approve multifactor authentication (MFA) prompts. When the users approved the MFA prompt, the attackers gained access to their accounts.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/#faq-question-1694411918741\",\"position\":4,\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/#faq-question-1694411918741\",\"name\":\"What is Midnight Blizzard's history of targeting and operation?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Since early 2018, Midnight Blizzard has been consistently and persistently targeting governments, diplomatic entities, NGOs, and IT service providers primarily in the US and Europe. Their primary objective is to collect intelligence through espionage of foreign interests.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/#faq-question-1694412009990\",\"position\":5,\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/microsoft-teams-phishing-attack\\\/#faq-question-1694412009990\",\"name\":\"What measures can organizations take to improve their security against such attacks?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Organizations should implement security measures recommended by Microsoft, including using phishing-resistant authentication methods, educating users about phishing attacks, and reviewing sign-in activity regularly. Additionally, they can invest in security awareness training tools like Threatcop Security Awareness Training (<a href=\\\"https:\\\/\\\/threatcop.com\\\/threatcop-security-awareness-training\\\"><strong>TSAT<\\\/strong><\\\/a>) to equip employees with the knowledge and skills to identify and mitigate potential security risks.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Hackers Impersonate Technical Support in Microsoft Teams Attacks","description":"Microsoft informed that the Midnight Blizzard hacker is engaging users in Microsoft Teams chats pretending to be technical support.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/","og_locale":"en_US","og_type":"article","og_title":"Hackers Impersonate Technical Support in Microsoft Teams Attacks","og_description":"Microsoft informed that the Midnight Blizzard hacker is engaging users in Microsoft Teams chats pretending to be technical support.","og_url":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/","og_site_name":"Threatcop","article_publisher":"https:\/\/www.facebook.com\/people\/Threatcop\/100083109892339\/","article_published_time":"2023-09-05T12:42:25+00:00","article_modified_time":"2026-04-27T06:10:31+00:00","og_image":[{"width":600,"height":576,"url":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2023\/09\/CRV-2374-Webiste-Blog-Image-microsoft-team-phishing.jpg","type":"image\/jpeg"}],"author":"Dip Jung Thapa","twitter_card":"summary_large_image","twitter_creator":"@threatcop","twitter_site":"@threatcop","twitter_misc":{"Written by":"Dip Jung Thapa","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#article","isPartOf":{"@id":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/"},"author":{"name":"Dip Jung Thapa","@id":"https:\/\/threatcop.com\/blog\/#\/schema\/person\/75585994ee4cb3e8b24fe7375dc85ee8"},"headline":"Microsoft Teams Attacks: Hackers Pose as Tech Support","datePublished":"2023-09-05T12:42:25+00:00","dateModified":"2026-04-27T06:10:31+00:00","mainEntityOfPage":{"@id":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/"},"wordCount":1606,"commentCount":0,"publisher":{"@id":"https:\/\/threatcop.com\/blog\/#organization"},"image":{"@id":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2023\/09\/CRV-2374-Webiste-Blog-Image-microsoft-team-phishing.jpg","articleSection":["Cyber Attacks","Social Engineering"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#respond"]}]},{"@type":["WebPage","FAQPage"],"@id":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/","url":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/","name":"Hackers Impersonate Technical Support in Microsoft Teams Attacks","isPartOf":{"@id":"https:\/\/threatcop.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#primaryimage"},"image":{"@id":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2023\/09\/CRV-2374-Webiste-Blog-Image-microsoft-team-phishing.jpg","datePublished":"2023-09-05T12:42:25+00:00","dateModified":"2026-04-27T06:10:31+00:00","description":"Microsoft informed that the Midnight Blizzard hacker is engaging users in Microsoft Teams chats pretending to be technical support.","breadcrumb":{"@id":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#breadcrumb"},"mainEntity":[{"@id":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#faq-question-1694411732881"},{"@id":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#faq-question-1694411864439"},{"@id":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#faq-question-1694411890026"},{"@id":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#faq-question-1694411918741"},{"@id":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#faq-question-1694412009990"}],"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#primaryimage","url":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2023\/09\/CRV-2374-Webiste-Blog-Image-microsoft-team-phishing.jpg","contentUrl":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2023\/09\/CRV-2374-Webiste-Blog-Image-microsoft-team-phishing.jpg","width":600,"height":576},{"@type":"BreadcrumbList","@id":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/threatcop.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Microsoft Teams Attacks: Hackers Pose as Tech Support"}]},{"@type":"WebSite","@id":"https:\/\/threatcop.com\/blog\/#website","url":"https:\/\/threatcop.com\/blog\/","name":"Threatcop","description":"Cybersecurity Blogs, News, Updates, and Articles","publisher":{"@id":"https:\/\/threatcop.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/threatcop.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/threatcop.com\/blog\/#organization","name":"Threatcop","url":"https:\/\/threatcop.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/threatcop.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2026\/06\/threatcop-logo-black-1.png","contentUrl":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2026\/06\/threatcop-logo-black-1.png","width":432,"height":102,"caption":"Threatcop"},"image":{"@id":"https:\/\/threatcop.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/people\/Threatcop\/100083109892339\/","https:\/\/x.com\/threatcop","https:\/\/www.linkedin.com\/company\/threatcop\/","https:\/\/www.instagram.com\/threatcop_official\/"]},{"@type":"Person","@id":"https:\/\/threatcop.com\/blog\/#\/schema\/person\/75585994ee4cb3e8b24fe7375dc85ee8","name":"Dip Jung Thapa","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2023\/10\/avatar_user_5_1698662450.jpeg","url":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2023\/10\/avatar_user_5_1698662450.jpeg","contentUrl":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2023\/10\/avatar_user_5_1698662450.jpeg","caption":"Dip Jung Thapa"},"description":"Co-Founder &amp; COO at Threatcop\u00a0 Department: Operations and Marketing Dip Jung Thapa, Chief Operating Officer (COO) of Threatcop, a leading cybersecurity company dedicated to enhancing people security management for businesses. With a profound understanding of cybersecurity issues, Dip plays a pivotal role in driving Threatcop's mission to safeguard people's digital lives.\u00a0"},{"@type":"Question","@id":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#faq-question-1694411732881","position":1,"url":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#faq-question-1694411732881","name":"Who is the threat actor behind the Microsoft Teams phishing attack?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"The threat actor behind the Microsoft Teams phishing attack is infamously known as <strong>Midnight Blizzard (previously tracked as NOBELIUM)<\/strong>. They are a Russia-based cybercriminal group attributed to the Foreign Intelligence Service of the Russian Federation (SVR).","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#faq-question-1694411864439","position":2,"url":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#faq-question-1694411864439","name":"Who are the main targets of the phishing attack?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"The main targets of the phishing attack were dozens of global organizations, including governments, non-government organizations (NGOs), IT services, technology companies, discrete manufacturing, and media sectors.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#faq-question-1694411890026","position":3,"url":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#faq-question-1694411890026","name":"How did Midnight Blizzard carry out the Microsoft Teams phishing attack?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Midnight Blizzard used compromised Microsoft 365 tenants owned by small businesses to create new domains that appeared as technical support entities. They sent Teams messages to targeted organizations, pretending to be from technical support, and asked users to approve multifactor authentication (MFA) prompts. When the users approved the MFA prompt, the attackers gained access to their accounts.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#faq-question-1694411918741","position":4,"url":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#faq-question-1694411918741","name":"What is Midnight Blizzard's history of targeting and operation?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Since early 2018, Midnight Blizzard has been consistently and persistently targeting governments, diplomatic entities, NGOs, and IT service providers primarily in the US and Europe. Their primary objective is to collect intelligence through espionage of foreign interests.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#faq-question-1694412009990","position":5,"url":"https:\/\/threatcop.com\/blog\/microsoft-teams-phishing-attack\/#faq-question-1694412009990","name":"What measures can organizations take to improve their security against such attacks?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Organizations should implement security measures recommended by Microsoft, including using phishing-resistant authentication methods, educating users about phishing attacks, and reviewing sign-in activity regularly. Additionally, they can invest in security awareness training tools like Threatcop Security Awareness Training (<a href=\"https:\/\/threatcop.com\/threatcop-security-awareness-training\"><strong>TSAT<\/strong><\/a>) to equip employees with the knowledge and skills to identify and mitigate potential security risks.","inLanguage":"en-US"},"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/posts\/9474","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/comments?post=9474"}],"version-history":[{"count":16,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/posts\/9474\/revisions"}],"predecessor-version":[{"id":14315,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/posts\/9474\/revisions\/14315"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/media\/9482"}],"wp:attachment":[{"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/media?parent=9474"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/categories?post=9474"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/tags?post=9474"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}