The Microsoft Threat Intelligence Center (MSTIC) has detected that NOBELIUM, the threat actor behind an infamous supply chain exploit, is back with a new attack strategy. The hacker group is now attempting to gain access to end customers of multiple cloud service providers (CSP), managed service providers (MSP), and other IT services organizations (referred to as service providers, hereafter in this blog). Their primary target is users with delegated administrative or privilege access. Malicious NOBELIUM activities have been observed in organizations based in the United States and across Europe since May 2021.

According to Microsoft, NOBELIUM is targeting privileged accounts of service providers to move laterally in cloud environments, leverage the trusted relationships to gain access to downstream customers and enable additional attacks or access targeted systems. These attacks expand NOBELIUM’s use of a dynamic toolkit that includes sophisticated spear phishing techniques, malware, password sprays, supply chain attacks, token theft, and API abuse to compromise user accounts and leverage the access of those accounts. 

These attacks highlight the need for administrators to adopt strict account security practices and take additional measures to secure their environments.

To learn more about NOBELIUM and their ongoing malicious spear phishing campaign, read our e-book How to protect Microsoft 365 from NOBELIUM’s spear phishing attack. This e-book covers all the techniques used by the threat actor to deliver malicious payload via email and ways to secure Microsoft 365 from them.