The three constraints on Influence Operations - Digital Threat Digest
There has been a recent uptick in the number of phishing campaigns happening over Microsoft Teams. Though there is a lack of publicly available information on attempts that have happened in the UK, Microsoft has issued an urgent alert warning of a highly sophisticated phishing campaign attributed to the well-known threat actor group Storm-0324.
Any organisation that uses Microsoft Teams may be vulnerable to these phishing attacks, but here’s what you should be on the lookout for and how you can mitigate risk to keep your organisation protected.
A quick phishing recap, but with added Microsoft Teams
Phishing attacks use social engineering techniques to obtain targeted email addresses and then send phishing messages on Microsoft Teams (instead of the traditional email) to gain unauthorised access to an organisation's data. This is a less familiar attack vector, and one may users will not have been trained on previously.
These social engineering strategies often involve an attacker impersonating a trusted source, such as a colleague or boss. They can then send malicious files that stand a good chance of being opened, because the target doesn’t realise that the person who sent the file is not who they say they are, so the attacker can leverage the legitimate trust between colleagues.
What is the malware being used?
For our more technical readers, threat actors use a range of malware in Teams phishing attacks, such as:
JSSLoader malware: This facilitates access to ransomware-as-a-service (RaaS). It allows malicious actors to exploit vulnerabilities and gain unauthorised access to systems. This could be done through TeamsPhisher, an open-source tool used to send deceptive messages containing malicious attachments to organisations that have enabled external communications in Teams. These phishing messages typically impersonate legitimate services like DocuSign or Quickbooks, often referencing invoices and payments to lure victims.
DarkGate Loader malware: DarkGate is a highly sophisticated malware distributed through phishing messages. It employs a multitude of evasion techniques, encrypts its strings (a set of characters within an encryption algorithm to make data appear random) to avoid detection, and is capable of data theft, privilege escalation, and system persistence. DarkGate is offered by an actor known as RastaFarEye and is primarily designed for penetration testing, featuring a broad array of capabilities and continuous updates, making it a persistent and substantial cybersecurity threat.
How to mitigate phishing risk on Microsoft Teams
There are things you can do on an individual level and on an organisation-wide scale to ensure everyone works together to protect your organisation’s data.
For individuals:
- Be cautious of unexpected messages, especially those with attachments or links, even if they appear to be from a known contact or colleague.
- Hover over links to reveal their actual destination before clicking. Beware of misspelled URLs, extra subdomains, or unfamiliar domains.
- Check if the sender's email address matches the official domain of the organisation. Criminals often use similar-looking domains but often have something misspelled or an extra character which gives them away if you’re vigilant enough to notice.
- Exercise caution with email attachments, especially if you weren't expecting them. Verify with the sender before opening the attachment.
For organisations:
- Make use of Microsoft’s security functionality. Microsoft Teams incorporates built-in safeguards designed to prevent the delivery of files from external tenant accounts (i.e., external staff, like customers). Organisations that do not regularly engage with external tenants in Teams can disable the feature allowing connectivity with other parties - so no one can communicate with your network without being approved and establishing a trusted domain.
- Train your team. Phishing vulnerability assessments allow organisations to assess their susceptibility to attacks. These assessment packages also include tailored security awareness training programs to educate their team on the risks of phishing attacks and how to mitigate them.
Talk to us
We offer tailored assessments, including end-to-end support. Our technical experts can work closely with your internal team to ensure you are prepared for when a phishing attempt happens. Speak to us today to discuss how we can support you.
Insights
Crowdstruck - Digital Threat Digest
As I waited for my flight to be rescheduled during last week’s IT outage, I listened to fellow passengers wonder aloud how a company whose name has never hit their radar could have such an impact on such a spectrum of day-to-day matters.
TradWife takeover - Digital Threat Digest
If you don’t know who Nara Smith is, I’m sorry to say you may just be living under a rock. Nara Smith has simply taken over my Instagram and TikTok feed with her ‘what I cooked for my husband today’, ‘what my toddlers ate today’ or my favourite video format, ‘my husband was craving [insert insane request] so I made it from scratch’.
Supply chain assurance and effective Business Continuity
Explaining how digital incidents severely impact the real world can be difficult, but we are increasingly seeing cyber incidents that illustrate how malicious actors can impact our daily lives.