Microsoft has detailed a new phishing campaign in which corporate employees are targeted via MS Teams.
The tech giant said the campaign is being perpetrated by financially motivated threat actor Storm-0324. This group acts as a “distributor” in the cyber-criminal community, distributing the payloads of other attackers after achieving initial network compromise via email-based initial infection vectors.
This often leads to dangerous follow-on attacks like ransomware.
Since 2019, the group has primarily distributed JSSLoader, handing off access to ransomware actor Sangria Tempest, according to Microsoft.
New MS Teams Campaign
The new Storm-0324 campaign was first observed in July 2023, in which it sends phishing lures over business communication platform MS Teams.
Microsoft believes the group utilizes a publicly available tool called TeamsPhisher to send the links, which leads to a malicious SharePoint-hosted file. TeamsPhisher is a Python-language program that enables Teams tenant users to attach files to messages sent to external tenants.
The advisory emphasized that this activity is unrelated to the Midnight Blizzard social engineering campaign Microsoft detailed in August, in which the attackers employed credential theft phishing lures delivered as Microsoft Teams chats.
Commenting on the new campaign, Mike Newman, CEO of My1Login noted that phishing attacks via Teams are proving a particularly fruitful tactic for malicious actors.
“This is a sophisticated phishing scam that will catch out many victims because they will not realize criminals can hijack on Microsoft Teams to carry out attacks.
“People understand the techniques criminals can use to send phishing scams via email, but with Teams being seen as an internal communications platform, employees place more trust in the tool and are more likely to open and action documents they receive in chats,” explained Newman.
How to Make MS Teams More Secure
Microsoft has taken action to better defend against phishing campaigns using Teams, including suspended identified accounts and tenants associated with inauthentic or fraudulent behavior.
The firm also provided a number of recommendations for Teams’ customers to reduce the risk of being compromised by these campaigns, including:
- Restrict contact by external communications on Teams. This includes specifying trusted Microsoft 365 organizations to define which external domains are allowed to chat and selecting the best access settings for external collaboration for your organization.
- Restrict the kinds of devices connecting to MS Teams in the organization. Customers should allow only known devices that adhere to Microsoft’s recommended security baselines. Additionally, implement conditional access app control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices.
- User education and awareness. Employees should be provided with up-to-date education on social engineering and credential phishing attack tactics via Teams. They should also be educated on using features like verifying ‘external’ tagging on communication attempts from external entities.
- Safe links scanning. Users can configure Microsoft Defender for Office 365 to recheck links on click. This should be in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP).
- Access management. Practice the principle of least privilege, and avoid the use of domain-wide, administrator-level service accounts. Also, pilot and start deploying phishing-resistant authentication methods for users.