Good Teams vs Bad Teams
Microsoft recently revealed the on-going operation of a sophisticated phishing campaign that preys on corporate employees via Microsoft Teams, a widely-used business communication platform. This operation is the handiwork of a financially driven threat agent known as Storm-0324. As an influential ‘distributor’ within the cyber-criminal community, Storm-0324 specializes in spreading the destructive payloads of other attackers, commonly initiating such disruptions via email-based infection techniques.
Users Being Presented with Fake Login Screens
The consequential after-effects of these actions can be significantly damaging, often providing the gateway for follow-on attacks such as ransomware. Since 2019, Storm-0324’s primary Trojan Horse has been JSSLoader. Partnered with the ransomware connoisseur Sangria Tempest, they have notably made their mark in the cybersecurity sphere, as reported by Microsoft.
First surfacing in July 2023, the new Storm-0324 campaign adopts a unique method of attack by dispatching phishing lures via MS Teams. A tool called TeamsPhisher, readily available to the public, acts as their weapon of choice. Developed using Python, the program allows Teams users to attach files to messages able to reach external tenants, the link to which leads directly to a harmful SharePoint-hosted file.
A New Operation
This operation is distinct from the Midnight Blizzard social engineering campaign Microsoft reported in August, which focused its phishing attacks on credential theft via Microsoft Teams chats.
Mike Newman, CEO of My1Login, expressed concern regarding the rise in successful phishing assaults via Teams, which exploit the platform’s image of safety as an internal communication tool. “Many victims will not realize criminals can exploit Microsoft Teams to execute attacks,” Newman pointed out. He continues that because Teams is viewed as a trusted source, employees are more likely to interact with potentially harmful documents received in chats – a vulnerability uniquely different from traditional phishing scams delivered via email.
Microsoft to Suspend Accounts
In an effort to fortify defenses and counter these phishing campaigns on Teams, Microsoft has announced measures including the suspension of suspicious accounts and tenants associated with unauthentic or fraudulent behavior. Along with this, Microsoft has outlined a set of prevention techniques for customers aimed at mitigating damages. These include options such as restricting external communication on Teams, limiting device access, educating employees about potential threats, implementing link scanning, and reassessing access rights.
By staying vigilant and following these practices, users should remember that even in the seemingly secure channels of our digital fortresses, there are always invaders seeking an unguarded entry.
