Three individuals in dark clothing stealing sensitive data from a computer.

Microsoft Teams Phishing Alert – Accounts Stolen By Ransomware Access Broker

According to Microsoft, an initial access broker with a history of collaborating with ransomware groups has recently altered its approach. They are now using Microsoft Teams to execute phishing attacks with the aim of infiltrating business networks.

The attack is being carried out by the threat actor Storm-0324, according to the technology giant. This organisation operates as a distributor in the cybercriminal world. They deliver the payloads of other attackers after gaining initial network penetration through email-based attack techniques. These attacks often lead to dangerous follow-up attacks, including ransomware.

The Storm-0324 campaign was discovered in July 2023, and it distributes phishing bait using the business communication network Microsoft Teams.

Microsoft has assigned the threat actor the name “Storm-0324” as a temporary identification. It indicates that the firm is still lacking a high level of clarity about the origin or identity of the actor behind the activity.

The cybercriminal group known as FIN7 has been discovered using Clop ransomware on the networks of their victims. Prior to their affiliation with the now-defunct BlackMatter and DarkSide ransomware-as-a-service (RaaS) operations, they were also associated to the Maze and REvil ransomware groups.

According to Microsoft:

In July 2023, Storm-0324 began using phishing lures sent over Teams with malicious links leading to a malicious SharePoint-hosted file. For this activity, Storm-0324 most likely relies on a publicly available tool called TeamsPhisher.

Storm-0324 operates as a payload distributor in the cybercriminal business. This service allows the spread of numerous payloads, such as downloaders, banking trojans, ransomware, and modular toolkits like Nymaim, Gozi, TrickBot, IcedID, Gootkit, Dridex, Sage and JSSLoader, via evasive infection chains.

Historically, the threat actor has carried out attack sequences including phishing emails with themes related to invoicing and payments. These fraudulent emails were designed to trick users into downloading ZIP archive files hosted on SharePoint. These ZIP packages were used to transmit JSSLoader, a malware loader capable of profiling affected PCs and delivering other malicious payloads.

This open-source program allows attackers to send phishing files to Microsoft Teams users by taking advantage of a Microsoft Teams vulnerability discovered by Jumpsec researchers. Microsoft declined to patch this problem in July, claiming a lack of priority.

Microsoft did not reveal the ultimate purpose of Storm-0324’s strikes this time. However, APT29’s attacks found to get the targets’ credentials after misleading them into activating multifactor authentication (MFA) prompts.

Phishing Message Targeting Microsoft Teams by APT29
Phishing Message Targeting Microsoft Teams by APT29 (Microsoft)

In relation to the latest effort, Mike Newman, CEO of My1Login, stated that phishing attacks using Microsoft Teams are proving to be a highly successful strategy for cybercriminals:

People understand the techniques criminals can use to send phishing scams via email, but with Teams being seen as an internal communications platform, employees place more trust in the tool and are more likely to open and action documents they receive in chats.

The company stated that it has been working hard to stop these attacks and protect Microsoft Teams customers.

We have also rolled out enhancements to the Accept/Block experience in one-on-one chats within Teams, to emphasize the externality of a user and their email address so Teams users can better exercise caution by not interacting with unknown or malicious senders.

Enterprise administrators can take efforts to limit this risk. These safety measures may include preventing external tenants from contacting their staff and modifying security settings to enable communication only with domains on an allow-list. It is important to note that the latter solution may not give protection if an external tenant with permissions is compromised.

Following Storm-0324’s discovery of Teams phishing attacks, Microsoft suspended all tenancies and accounts involved in the attack.

Employees should be given training on social engineering and credential phishing strategies using Microsoft Teams. Furthermore, they should be taught how to use capabilities such as validating the presence of an ‘external’ tag on communication attempts coming from outside entities.

Phishing Tackle offers a free 14-day trial to help train your users to avoid these types of attacks and test their knowledge with simulated attacks using various attack vectors. By focusing on training your users to spot these types of attacks, rather than relying solely on technology, you can ensure that your organisation is better prepared to defend against cyber threats and minimise the impact of any successful attacks.

Recent posts