Microsoft Teams Phishing Attacks Target Corporate World

This post is also available in: עברית (Hebrew)

Microsoft Teams is reportedly being used by a threat actor known for working with ransomware groups to distribute phishing lures through the chats.

The financially motivated group called “Storm-0324” is known to act as an initial access broker, which is a malicious actor who gains a foothold in victim systems and later sells the access to other cybercriminals, often leading to the deployment of ransomware.

It has started using Microsoft Teams to target potential victims, as reported by security researchers at Microsoft- “Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats.”

According to Cybernews, Storm-0324 also distributes payloads for other attackers, and is known to employ evasive techniques, using payment and invoice lures to coax victims. It is known to have distributed malware for the notorious Russian cybercrime gangs FIN7 and Cl0p.

The attacks on Microsoft Teams go as follows: attackers send victims links leading to malicious SharePoint-hosted files, and to scale up the mission cybercriminals employ TeamsPhisher, which “enables Teams tenant users to attach files to messages sent to external tenants.”

My1Login CEO Mike Newman claims that this type of sophisticated phishing attack is more dangerous than regular phishing attacks, since it will fool more victims who do not realize that criminals can hijack Microsoft Teams to carry out attacks. “Employees place more trust in the tool and are more likely to open and action documents they receive in chats,” he said.

Microsoft explains that these Teams-based phishing lures by threat actors are identified by the Teams platform as “EXTERNAL” users if external access is enabled in the organization. The company also stated it has suspended accounts and tenants associated with malicious behavior and enacted enhancements and restrictions to protect customers.

“Chat systems such as Slack and Teams need to be acknowledged by organizations as something that poses the same threat level as credential phishing emails,” states Cofense senior cyber threat intelligence analyst Max Gannon. “Any system that can be manipulated to take advantage of a user’s trust can be used as a method of entry…. Treating any one source as being a non-issue or as having a negligible threat level can easily come back to haunt decision-makers.”