Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/1/2020
04:11 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Fake Microsoft Teams Emails Phish for Credentials

Employees belonging to organizations in industries such as energy, retail, and hospitality have been recipients, Abnormal Security says.

Attackers have begun sending emails impersonating automated notifications from Microsoft Teams to try and steal the access credentials of employees who use the popular collaboration platform while working from home.

According to researchers from Abnormal Security, the emails are very convincing-looking, with links that lead to landing pages that are identical to what a user would expect from a legitimate Teams page. The imagery used in the campaigns is copied from actual notifications and Microsoft emails.

"Abnormal has observed these attacks being sent to our customers in industries such as energy, retail, and hospitality," says Ken Liao, vice president of cybersecurity strategy. "However, these attacks are not targeted and intentionally made to be generic by attackers so they could be sent to anybody."

The attackers have been using multiple URL redirects to throw off malicious link-detection tools and to hide the actual URL of the domain that is being used to host the attacks. Researchers from Abnormal Security have observed at least two different attack campaigns involving Teams message impersonation.

One message impersonates the notification received when a coworker is trying to contact them via Teams. The other claims that the recipient has a file waiting for them on Microsoft Teams, and the email footer contains legitimate links to Microsoft Teams application downloads, Liao says.

In one of the attacks, the phishing email contains a link to a document hosted on a site used by an email marketing company. The hosted document contains an image asking users to log into their Teams account. Users that click on the image get redirected to a landing page that impersonates the Microsoft Office login page to capture the victim's credentials.

In the second campaign, the link in the email redirects the user to a page on YouTube, and then again a couple more times before finally arriving on the credential phishing site. "Since Microsoft Teams is linked to Microsoft Office 365, the attacker may have access to other information available with the user's Microsoft credentials via single-sign on," Abnormal Security said in a blog post today.

The two attacks do not appear to be sent by the same operator, Liao says. Each campaign has different email content and payload-delivery methods. "In addition, these campaigns were sent two weeks apart and used different sender information," he says.

These new email attack campaigns are the latest evidence of the surge in threat actor activity seeking to exploit workplace disruptions caused by the COVID-19 pandemic. Social distancing mandates have forced organizations worldwide to implement large-scale teleworking policies—often with little planning or no prior experience. The increase in teleworking has led to a surge in the use of—and attacker interest in—collaboration platforms such as Teams, Slack, and Zoom. Of these, Microsoft Teams in particular has been one of the most heavily targeted platforms, according to Abnormal Security.

The new attack on Teams users comes just days after another security vendor, Cyberark, disclosed a dangerous—but already patched—vulnerability in the Microsoft collaboration platform. The vulnerability had to do with how Teams handled certain authentication information and would have allowed an attacker to compromise all Teams accounts in an organization using little more than a malicious GIF. Users wouldn't even have needed to interact with the GIF to get compromised.

Related Content:

Check out this listing of free security products and services compiled for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 

 

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
dreamweaver7778
50%
50%
dreamweaver7778,
User Rank: Author
5/4/2020 | 8:43:34 AM
Always follow the basics
Just the latest example of continued vigilance on the part of InfoSec teams everywhere.  A lot of the filtering technology has continued to improve to remove these before messages getting delivered to end users, but this is no substitute for a progressive, ongoing securuity awareness program.  Testing your users each and every month so they continue to scrutinize each email and not assume its valid "just because it looks like it."
sandiegopools
50%
50%
sandiegopools,
User Rank: Apprentice
5/4/2020 | 3:31:37 AM
Re: Pending Review
Great
mycoding
50%
50%
mycoding,
User Rank: Apprentice
5/3/2020 | 11:44:00 PM
Scammers are everywhere
Scammers are everywhere, personally I get scam emails very often. You shoud be careful of the domain they used to send.

sometimes they say hotmail or even paypal and as you click to enter password they will steal it backend. so make sure it is really hotmail or paypal.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4719
PUBLISHED: 2020-09-24
The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
CVE-2020-15604
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-24560
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...