Microsoft Teams Hacks Are Back, as Storm-0324 Embraces TeamsPhisher

In a campaign carried out this summer, an initial access broker (IAB) used an open source red-team tool to phish organizations via Microsoft Teams, paving the way for follow-on attacks.

The responsible party — known variously as TA543, Storm-0324, and Sagrid — is a financially-motivated threat actor known for using phishing emails to breach targets, before passing the buck to ransomware groups. But in its latest efforts, revealed by Microsoft on Sept. 12, it took a different approach: using Microsoft's collaboration app to dupe the unsuspecting and create its openings, via the tool known as TeamsPhisher.

The attacks occurred amid a wave of news about other, unrelated vulnerabilities and breaches affecting the Teams platform, providing yet more evidence that researchers and hackers alike are becoming more interested in business communications apps, even after workforces have returned to the office.

How to Phish in Microsoft Teams

Because Microsoft Teams is typically used within, rather than between organizations, it normally isn't possible to, say, send a random file to a user from another Teams tenant (organization).

But researchers have been finding workarounds to that hurdle for a while now. In December, a red team operator described on Medium how a little spoofing here and some trickery there could undermine basic security controls in Teams chat, like the ability to start a new chat or erase the "Edited" tag on an edited message.

Similarly, in June, two security researchers developed an exploit for an insecure direct object reference (IDOR) vulnerability, enabling them to bypass Teams' client-side security controls to send files to external tenants. In acknowledging the vulnerability, Microsoft informed the researchers that it "did not meet the bar for immediate servicing."

And in July, red-team developer Alex Reid proved Microsoft wrong, combining the work of prior researchers to create TeamsPhisher, a tool for simplifying the process of sending messages and files to external Teams tenants. In its Github entry, Reid described how simply it works:

Give TeamsPhisher an attachment, a message, and a list of target Teams users. It will upload the attachment to the sender's Sharepoint, and then iterate through the list of targets. TeamsPhisher will first enumerate the target user and ensure that the user exists and can receive external messages. It will then create a new thread with the target user...With the new thread created between our sender and the target, the specified message will be sent to the user along with a link to the attachment in SharePoint.

According to Microsoft's research, the Storm-0324 threat actor seems to have pounced on the tool within the very same month it was published.

All of this could spell trouble for organizations down the line. In the past, Storm-0324 has most often used its unauthorized corporate network access to distribute the JSSLoader, then hand over the keys to the notorious financial and ransomware actor FIN7 (aka Sangria Tempest, ELBRUS, Carbon Spider, Carbanak Group, and Cobalt Group).

The Increasing Cyber Threat to Teams

In its blog, Microsoft felt the need to distinguish Storm-0324's campaign from another phishing campaign affecting Teams environments, carried out by a different threat actor, Midnight Blizzard (aka Nobelium, APT29, UNC2452, and Cozy Bear).

To Steven Spadaccini, vice president of threat intelligence for SafeGuard Cyber, it makes sense that threat actors are increasingly targeting Microsoft's collaboration app.

"Most business communications today take place outside of traditional email, in collaboration apps like Microsoft Teams. Attackers know this too and are tailoring their attack mechanisms for these high traffic cloud workplace channels," he says, adding that "the application's proximity to the rest of the device, and all the other apps on that device, make it a potential entry-point for serious trouble, and account compromise is a key security concern."

Often in fact, organizations don't even realize just how valuable their Teams environments are. Spadaccini cites a recent personal experience, auditing the Teams channel for a healthcare company. 

"We determined that 30% of the customer's business communications occurred in Teams," he says. "This quantifies the continuous stream of risk to the company and the potential avenues for compromise such as data exfiltration and/or IP loss," he says.

What to Do About Teams Threats

According to Justin Klein Keane, director of the cyber fusion center and incident response at MorganFranklin Consulting, Teams doesn't yet face the extent of threats seen on other messaging and productivity platforms.

"We have definitely observed targeted attacks using collaboration apps," he says, "but surprisingly, Teams is not frequently a component of these attacks, probably owing to its enterprise tenancy and integration with Microsoft Defender for Office 365, which provides for some tight operational controls over Teams (probably leading to Microsoft being able to identify attacks on Teams). Other, more distributed platforms like Discord, Slack, and Telegram have been observed by our Security Operations Center (SOC) as components of attacks."

TeamsPhisher and related attacks that do occur over Teams can be prevented by simply toggling off the ability for users in a Microsoft tenant to engage with users of external tenants. But according to Spadaccini, that's just a start towards real, comprehensive protection.

"Securing users' account settings is a good place to begin, but organizations can go a step further by gaining full visibility into their Microsoft Teams communications to monitor for malicious activity and establishing Microsoft Teams security protocols with solutions that will allow them to customize their policies, and quickly apply those policies across the entire channel," he says. "If a company can keep an all-seeing eye on potential threats and manage them from one central hub within its organization, they can leave no risks unseen."