Digital Threat Digest Insights Careers Let's talk

Phishing on Microsoft Teams: What you need to know

Double circle designs 24 Oct

There has been a recent uptick in the number of phishing campaigns happening over Microsoft Teams. Though there is a lack of publicly available information on attempts that have happened in the UK, Microsoft has issued an urgent alert warning of a highly sophisticated phishing campaign attributed to the well-known threat actor group Storm-0324.

Any organisation that uses Microsoft Teams may be vulnerable to these phishing attacks, but here’s what you should be on the lookout for and how you can mitigate risk to keep your organisation protected.

A quick phishing recap, but with added Microsoft Teams

Phishing attacks use social engineering techniques to obtain targeted email addresses and then send phishing messages on Microsoft Teams (instead of the traditional email) to gain unauthorised access to an organisation's data. This is a less familiar attack vector, and one may users will not have been trained on previously.

These social engineering strategies often involve an attacker impersonating a trusted source, such as a colleague or boss. They can then send malicious files that stand a good chance of being opened, because the target doesn’t realise that the person who sent the file is not who they say they are, so the attacker can leverage the legitimate trust between colleagues.

What is the malware being used?

For our more technical readers, threat actors use a range of malware in Teams phishing attacks, such as:

JSSLoader malware: This facilitates access to ransomware-as-a-service (RaaS). It allows malicious actors to exploit vulnerabilities and gain unauthorised access to systems. This could be done through TeamsPhisher, an open-source tool used to send deceptive messages containing malicious attachments to organisations that have enabled external communications in Teams. These phishing messages typically impersonate legitimate services like DocuSign or Quickbooks, often referencing invoices and payments to lure victims.

DarkGate Loader malware: DarkGate is a highly sophisticated malware distributed through phishing messages. It employs a multitude of evasion techniques, encrypts its strings (a set of characters within an encryption algorithm to make data appear random) to avoid detection, and is capable of data theft, privilege escalation, and system persistence. DarkGate is offered by an actor known as RastaFarEye and is primarily designed for penetration testing, featuring a broad array of capabilities and continuous updates, making it a persistent and substantial cybersecurity threat.

How to mitigate phishing risk on Microsoft Teams

There are things you can do on an individual level and on an organisation-wide scale to ensure everyone works together to protect your organisation’s data.

For individuals:

  • Be cautious of unexpected messages, especially those with attachments or links, even if they appear to be from a known contact or colleague.
  • Hover over links to reveal their actual destination before clicking. Beware of misspelled URLs, extra subdomains, or unfamiliar domains.
  • Check if the sender's email address matches the official domain of the organisation. Criminals often use similar-looking domains but often have something misspelled or an extra character which gives them away if you’re vigilant enough to notice.
  • Exercise caution with email attachments, especially if you weren't expecting them. Verify with the sender before opening the attachment.

For organisations:

  • Make use of Microsoft’s security functionality. Microsoft Teams incorporates built-in safeguards designed to prevent the delivery of files from external tenant accounts (i.e., external staff, like customers). Organisations that do not regularly engage with external tenants in Teams can disable the feature allowing connectivity with other parties - so no one can communicate with your network without being approved and establishing a trusted domain.
  • Train your team. Phishing vulnerability assessments allow organisations to assess their susceptibility to attacks. These assessment packages also include tailored security awareness training programs to educate their team on the risks of phishing attacks and how to mitigate them.

Talk to us

We offer tailored assessments, including end-to-end support. Our technical experts can work closely with your internal team to ensure you are prepared for when a phishing attempt happens. Speak to us today to discuss how we can support you.