Fake Microsoft Teams Emails Phish for Credentials
Employees belonging to organizations in industries such as energy, retail, and hospitality have been recipients, Abnormal Security says.
May 1, 2020
Attackers have begun sending emails impersonating automated notifications from Microsoft Teams to try and steal the access credentials of employees who use the popular collaboration platform while working from home.
According to researchers from Abnormal Security, the emails are very convincing-looking, with links that lead to landing pages that are identical to what a user would expect from a legitimate Teams page. The imagery used in the campaigns is copied from actual notifications and Microsoft emails.
"Abnormal has observed these attacks being sent to our customers in industries such as energy, retail, and hospitality," says Ken Liao, vice president of cybersecurity strategy. "However, these attacks are not targeted and intentionally made to be generic by attackers so they could be sent to anybody."
The attackers have been using multiple URL redirects to throw off malicious link-detection tools and to hide the actual URL of the domain that is being used to host the attacks. Researchers from Abnormal Security have observed at least two different attack campaigns involving Teams message impersonation.
One message impersonates the notification received when a coworker is trying to contact them via Teams. The other claims that the recipient has a file waiting for them on Microsoft Teams, and the email footer contains legitimate links to Microsoft Teams application downloads, Liao says.
In one of the attacks, the phishing email contains a link to a document hosted on a site used by an email marketing company. The hosted document contains an image asking users to log into their Teams account. Users that click on the image get redirected to a landing page that impersonates the Microsoft Office login page to capture the victim's credentials.
In the second campaign, the link in the email redirects the user to a page on YouTube, and then again a couple more times before finally arriving on the credential phishing site. "Since Microsoft Teams is linked to Microsoft Office 365, the attacker may have access to other information available with the user's Microsoft credentials via single-sign on," Abnormal Security said in a blog post today.
The two attacks do not appear to be sent by the same operator, Liao says. Each campaign has different email content and payload-delivery methods. "In addition, these campaigns were sent two weeks apart and used different sender information," he says.
These new email attack campaigns are the latest evidence of the surge in threat actor activity seeking to exploit workplace disruptions caused by the COVID-19 pandemic. Social distancing mandates have forced organizations worldwide to implement large-scale teleworking policies —often with little planning or no prior experience. The increase in teleworking has led to a surge in the use of—and attacker interest in—collaboration platforms such as Teams, Slack, and Zoom. Of these, Microsoft Teams in particular has been one of the most heavily targeted platforms, according to Abnormal Security.
The new attack on Teams users comes just days after another security vendor, Cyberark, disclosed a dangerous—but already patched—vulnerability in the Microsoft collaboration platform. The vulnerability had to do with how Teams handled certain authentication information and would have allowed an attacker to compromise all Teams accounts in an organization using little more than a malicious GIF. Users wouldn't even have needed to interact with the GIF to get compromised.
Related Content:
Check out this listing of free security products and services compiled for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19.
About the Author
You May Also Like