New Phishing Attacks on Microsoft Teams

Have you ever received a suspicious email or message claiming to be from Microsoft Teams, urging you to click on a link or disclose sensitive information? If so, you’re not alone.

 

Microsoft is alerting users about fresh phishing attacks being carried out by an initial access broker, which uses Teams communications as enticements to get into business networks.

 

Phishing Attacks

Who is Behind These Phishing Attacks?

 

Storm-0324, a malicious actor known to have previously used Sage and GandCrab ransomware, is the threat group responsible for the financial motivations of phishing attacks.

 

“Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats,” the company stated.

 

In the cybercriminal economy, Storm-0324 works as a payload distributor, providing a service that enables the spread of different payloads utilizing evasive infection chains. Downloaders, banking trojans, ransomware, and modular toolkits like Nymaim, Gozi, TrickBot, IcedID, Gootkit, Dridex, Sage, GandCrab, and JSSLoader are all included in this.

 

How Phishing Works

 

Phishing attacks carried out by the actor in the past have used fake email messages with invoice and payment themes to fool users into downloading ZIP archive files stored on SharePoint that contain JSSLoader, a malware loader that can profile affected PCs and load additional payloads.

 

“The actor’s email chains are highly evasive, making use of traffic distribution systems (TDS) like BlackTDS and Keitaro, which provide identification and filtering capabilities to tailor user traffic,” Microsoft said, adding: “This filtering capability allows attackers to evade detection by certain IP ranges that might be security solutions, like malware sandboxes, while also successfully redirecting victims to their malicious download site.”

 

The virus’s ability to gain access allows the ransomware-as-a-service (RaaS) actor Sangria Tempest (also known as Carbon Spider, ELBRUS, and FIN7) to carry out post-exploitation operations and introduce malware that encrypts files.

 

Since then, the method of operation has changed, and as of July 2023, phishing lures are sent via Teams with links that lead to a malicious ZIP file stored on SharePoint.

 

This is done via an open-source program called TeamsPhisher, which makes use of a bug that JUMPSEC initially identified in June 2023 and allows Teams tenant users to attach files to messages sent to external tenants.

 

What Has Microsoft Done About It?

 

Microsoft claimed that to counter the threat, it has strengthened its security measures and “suspended identified accounts and tenants associated with inauthentic or fraudulent behavior.”

 

They added, “Since Storm-0324 gives access to other threat actors, detecting and remediating Storm-0324 activity can stop more dangerous follow-on attacks like ransomware.”

 

How to Recognize Phishing

 

  1. Urgent call to action or threats – Be wary of emails that demand you call, click, or open an attachment right away. They frequently assert that you must act right away to receive a benefit or to avoid a penalty. Phishing attacks and scams frequently use a false feeling of urgency to their advantage. They do this so that you won’t give it too much thought or consult a reliable source who might warn you.

 

  1. First-time or infrequent senders – Receiving an email from someone for the first time is common, especially if they are outside of your organization, but this could indicate phishing. Spend some extra time looking over emails that come from senders you don’t recognize or that Outlook recognizes as new senders.

 

  1. Spelling and grammar errors – Professional organizations typically employ an editing team to guarantee that customers receive high-quality, business-like information. If there are evident spelling or grammar mistakes in an email communication, it could be a hoax. These mistakes can occasionally be the consequence of faulty translations from a foreign language, or they can be intentional attempts to get past defenses meant to stop these attacks.

 

  1. Generic greetings – Nowadays, it’s simple to customize emails, and any company you work with should know your name. A red flag that the email could not be from your bank or favorite online retailer is if it begins with the generic “Dear Sir or Madam” greeting.

 

  1. Mismatched email domains – If an email claims to be from a trustworthy organization, such as Microsoft or your bank, but is coming from Gmail.com or microsoftsupport.ru, it’s probably a fraud. Additionally, keep an eye out for very slight misspellings of the official domain name. Like micros0ft.com, where the second “o” has been changed to a 0, or rnicrosoft.com, where the “m” has been changed to an “r” and an “n”. These are typical fraudster gimmicks.

 

  1. Suspicious links or unexpected attachments – If you think an email communication is a fraud, avoid clicking any links or downloading any attachments. Instead, simply move your cursor over the link without clicking it to see if the address corresponds to the one that was entered into the message. The genuine website address is displayed in the box with the yellow background in the following example when the mouse pointer is over the link. Be aware that the string of numbers has nothing in common with the business’s website address.

 

What To Do if You’ve Been Phished

 

  1. Write down as many specifics of the attack as you can remember while it’s still fresh in your mind. Try your best to keep track of any data you may have shared, such as usernames, account numbers, and passwords.

 

  1. Change the passwords right away on all impacted accounts and anywhere else you might be using the same password. You should make unique passwords for each account while updating your passwords.

 

  1. Verify that multifactor authentication, often referred to as two-step verification, is enabled for all your accounts.

 

  1. You should alert the IT support staff at your workplace of the potential attack if it affects your work accounts. If you disclosed information relating to your bank or credit card accounts, you might also wish to get in touch with those companies to warn them of potential fraud.

 

  1. Inform your local police authorities if you have experienced financial loss or have become a victim of identity theft. They will find the information in Step 1 to be very beneficial.

 

Our Company’s Encounter with Phishing on Teams

 

Last week, we encountered phishing via Teams messages that contained malicious ZIP files. The steps we took:

 

  1. Through eDiscovery we found all 420 users who were in contact with the zip file.

 

  1. For all 420 users, we performed a forced password reset and reauthentication on MFA.

 

  1. Currently, we’re working on a purging – deleting that file from all users.

 

How to Keep Your Company Safe?

 

IT teams can prevent phishing attacks from reaching employees’ inboxes by using the right tools and security measures. Look out for next week’s post, where we’ll go into depth on how to keep your company safe from phishing.

 

Do you want to enhance your organization’s security and protect against phishing attacks? Get in touch with our expert team today and ensure your sensitive data is in safe hands!