Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/1/2020
04:11 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Fake Microsoft Teams Emails Phish for Credentials

Employees belonging to organizations in industries such as energy, retail, and hospitality have been recipients, Abnormal Security says.

Attackers have begun sending emails impersonating automated notifications from Microsoft Teams to try and steal the access credentials of employees who use the popular collaboration platform while working from home.

According to researchers from Abnormal Security, the emails are very convincing-looking, with links that lead to landing pages that are identical to what a user would expect from a legitimate Teams page. The imagery used in the campaigns is copied from actual notifications and Microsoft emails.

"Abnormal has observed these attacks being sent to our customers in industries such as energy, retail, and hospitality," says Ken Liao, vice president of cybersecurity strategy. "However, these attacks are not targeted and intentionally made to be generic by attackers so they could be sent to anybody."

The attackers have been using multiple URL redirects to throw off malicious link-detection tools and to hide the actual URL of the domain that is being used to host the attacks. Researchers from Abnormal Security have observed at least two different attack campaigns involving Teams message impersonation.

One message impersonates the notification received when a coworker is trying to contact them via Teams. The other claims that the recipient has a file waiting for them on Microsoft Teams, and the email footer contains legitimate links to Microsoft Teams application downloads, Liao says.

In one of the attacks, the phishing email contains a link to a document hosted on a site used by an email marketing company. The hosted document contains an image asking users to log into their Teams account. Users that click on the image get redirected to a landing page that impersonates the Microsoft Office login page to capture the victim's credentials.

In the second campaign, the link in the email redirects the user to a page on YouTube, and then again a couple more times before finally arriving on the credential phishing site. "Since Microsoft Teams is linked to Microsoft Office 365, the attacker may have access to other information available with the user's Microsoft credentials via single-sign on," Abnormal Security said in a blog post today.

The two attacks do not appear to be sent by the same operator, Liao says. Each campaign has different email content and payload-delivery methods. "In addition, these campaigns were sent two weeks apart and used different sender information," he says.

These new email attack campaigns are the latest evidence of the surge in threat actor activity seeking to exploit workplace disruptions caused by the COVID-19 pandemic. Social distancing mandates have forced organizations worldwide to implement large-scale teleworking policies—often with little planning or no prior experience. The increase in teleworking has led to a surge in the use of—and attacker interest in—collaboration platforms such as Teams, Slack, and Zoom. Of these, Microsoft Teams in particular has been one of the most heavily targeted platforms, according to Abnormal Security.

The new attack on Teams users comes just days after another security vendor, Cyberark, disclosed a dangerous—but already patched—vulnerability in the Microsoft collaboration platform. The vulnerability had to do with how Teams handled certain authentication information and would have allowed an attacker to compromise all Teams accounts in an organization using little more than a malicious GIF. Users wouldn't even have needed to interact with the GIF to get compromised.

Related Content:

Check out this listing of free security products and services compiled for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 

 

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
dreamweaver7778
50%
50%
dreamweaver7778,
User Rank: Author
5/4/2020 | 8:43:34 AM
Always follow the basics
Just the latest example of continued vigilance on the part of InfoSec teams everywhere.  A lot of the filtering technology has continued to improve to remove these before messages getting delivered to end users, but this is no substitute for a progressive, ongoing securuity awareness program.  Testing your users each and every month so they continue to scrutinize each email and not assume its valid "just because it looks like it."
sandiegopools
50%
50%
sandiegopools,
User Rank: Apprentice
5/4/2020 | 3:31:37 AM
Re: Pending Review
Great
mycoding
50%
50%
mycoding,
User Rank: Apprentice
5/3/2020 | 11:44:00 PM
Scammers are everywhere
Scammers are everywhere, personally I get scam emails very often. You shoud be careful of the domain they used to send.

sometimes they say hotmail or even paypal and as you click to enter password they will steal it backend. so make sure it is really hotmail or paypal.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4035
PUBLISHED: 2020-06-03
In WatermelonDB (NPM package "@nozbe/watermelondb") before versions 0.15.1 and 0.16.2, a maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and cause the app to delete all or selected records from the database, generally causing the app to...
CVE-2020-13783
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Storage of Sensitive Information.
CVE-2020-13784
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have a predictable seed in a Pseudo-Random Number Generator.
CVE-2020-13785
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have Inadequate Encryption Strength.
CVE-2020-13786
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices allow CSRF.