Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/1/2020
04:11 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Fake Microsoft Teams Emails Phish for Credentials

Employees belonging to organizations in industries such as energy, retail, and hospitality have been recipients, Abnormal Security says.

Attackers have begun sending emails impersonating automated notifications from Microsoft Teams to try and steal the access credentials of employees who use the popular collaboration platform while working from home.

According to researchers from Abnormal Security, the emails are very convincing-looking, with links that lead to landing pages that are identical to what a user would expect from a legitimate Teams page. The imagery used in the campaigns is copied from actual notifications and Microsoft emails.

"Abnormal has observed these attacks being sent to our customers in industries such as energy, retail, and hospitality," says Ken Liao, vice president of cybersecurity strategy. "However, these attacks are not targeted and intentionally made to be generic by attackers so they could be sent to anybody."

The attackers have been using multiple URL redirects to throw off malicious link-detection tools and to hide the actual URL of the domain that is being used to host the attacks. Researchers from Abnormal Security have observed at least two different attack campaigns involving Teams message impersonation.

One message impersonates the notification received when a coworker is trying to contact them via Teams. The other claims that the recipient has a file waiting for them on Microsoft Teams, and the email footer contains legitimate links to Microsoft Teams application downloads, Liao says.

In one of the attacks, the phishing email contains a link to a document hosted on a site used by an email marketing company. The hosted document contains an image asking users to log into their Teams account. Users that click on the image get redirected to a landing page that impersonates the Microsoft Office login page to capture the victim's credentials.

In the second campaign, the link in the email redirects the user to a page on YouTube, and then again a couple more times before finally arriving on the credential phishing site. "Since Microsoft Teams is linked to Microsoft Office 365, the attacker may have access to other information available with the user's Microsoft credentials via single-sign on," Abnormal Security said in a blog post today.

The two attacks do not appear to be sent by the same operator, Liao says. Each campaign has different email content and payload-delivery methods. "In addition, these campaigns were sent two weeks apart and used different sender information," he says.

These new email attack campaigns are the latest evidence of the surge in threat actor activity seeking to exploit workplace disruptions caused by the COVID-19 pandemic. Social distancing mandates have forced organizations worldwide to implement large-scale teleworking policies—often with little planning or no prior experience. The increase in teleworking has led to a surge in the use of—and attacker interest in—collaboration platforms such as Teams, Slack, and Zoom. Of these, Microsoft Teams in particular has been one of the most heavily targeted platforms, according to Abnormal Security.

The new attack on Teams users comes just days after another security vendor, Cyberark, disclosed a dangerous—but already patched—vulnerability in the Microsoft collaboration platform. The vulnerability had to do with how Teams handled certain authentication information and would have allowed an attacker to compromise all Teams accounts in an organization using little more than a malicious GIF. Users wouldn't even have needed to interact with the GIF to get compromised.

Related Content:

Check out this listing of free security products and services compiled for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 

 

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
dreamweaver7778
50%
50%
dreamweaver7778,
User Rank: Author
5/4/2020 | 8:43:34 AM
Always follow the basics
Just the latest example of continued vigilance on the part of InfoSec teams everywhere.  A lot of the filtering technology has continued to improve to remove these before messages getting delivered to end users, but this is no substitute for a progressive, ongoing securuity awareness program.  Testing your users each and every month so they continue to scrutinize each email and not assume its valid "just because it looks like it."
sandiegopools
50%
50%
sandiegopools,
User Rank: Apprentice
5/4/2020 | 3:31:37 AM
Re: Pending Review
Great
mycoding
50%
50%
mycoding,
User Rank: Apprentice
5/3/2020 | 11:44:00 PM
Scammers are everywhere
Scammers are everywhere, personally I get scam emails very often. You shoud be careful of the domain they used to send.

sometimes they say hotmail or even paypal and as you click to enter password they will steal it backend. so make sure it is really hotmail or paypal.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13768
PUBLISHED: 2020-06-04
In MiniShare before 1.4.2, there is a stack-based buffer overflow via an HTTP PUT request, which allows an attacker to achieve arbitrary code execution, a similar issue to CVE-2018-19861, CVE-2018-19862, and CVE-2019-17601. NOTE: this product is discontinued.
CVE-2020-13849
PUBLISHED: 2020-06-04
The MQTT protocol 3.1.1 requires a server to set a timeout value of 1.5 times the Keep-Alive value specified by a client, which allows remote attackers to cause a denial of service (loss of the ability to establish new connections), as demonstrated by SlowITe.
CVE-2020-13848
PUBLISHED: 2020-06-04
Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
CVE-2020-11682
PUBLISHED: 2020-06-04
Castel NextGen DVR v1.0.0 is vulnerable to CSRF in all state-changing request. A __RequestVerificationToken is set by the web interface, and included in requests sent by web interface. However, this token is not verified by the application: the token can be removed from all requests and the request ...
CVE-2020-12847
PUBLISHED: 2020-06-04
Pydio Cells 2.0.4 web application offers an administrative console named “Cells Console� that is available to users with an administrator role. This console provides an administrator user with the possibility of changing several settings, including the applicat...