With the increasing popularity of collaborative work tools like Microsoft Teams, hackers are starting to focus on attacking platforms that businesses use for remote working. This latest phishing campaign looks like an automatic notification from Teams and urges recipients to click on a link that leads to a phishing page designed to steal credentials.
The phishing attack was spotted by researchers at Abnormal Security and it takes advantage of the fact that Teams allows users to respond to chats from what are called external tenancies, or organizations other than the one that hosts the collaboration platform. This bypasses an in-built restriction that prevents external tenancies from sending files to internal employees, which the attackers used to their advantage.
In a maliciously modified version of the Teams client, the team can send a file to a target and if the recipient then opens it, it will install a hidden rootkit that gives the attacker access to the user’s computer. The rootkit then enables the attackers to intercept and read any chats or conversations that the victim participates in using Teams. This includes inter-organizational chats, the ability to share screens during a call and even to remotely execute code.
This phishing campaign was successful because it targets people who have opted in to receive notifications from Microsoft Teams and they tend to trust the messages they see on their inbox. The message that landed in inboxes claims recipients have missed Team calls and contains a link titled “Reply in Teams” with the display name “There’s new activity”. This link is a dead giveaway because it actually takes people to a phishing site that impersonates the official Microsoft login page, with its URL beginning with microsftteams.
If a recipient does enter their Microsoft account information into the phishing page, they will unwittingly hand over the credentials to the attackers who can then use them for a variety of malicious purposes, including account takeover. The victims can experience serious system infections, severe privacy violations and financial losses due to the unauthorized access.
Affected individuals will also find themselves in the grip of malware that can cause their computers to run slow or crash, with a warning saying “Your machine has been affected by malware. You will need to reset your password to continue.”
Moreover, the malware can also record any voice and video conversations that the victim engages in with colleagues or business partners. This can be useful for the threat actors to learn more about their targets or build a more detailed profile of the target.
As a result, it is important that everyone treats all files and links in Microsoft Teams as suspicious and avoids clicking on them. They should also keep their anti-virus software updated and always treat files that they receive from outside of the workplace with caution. In addition, it is essential that they change their Microsoft account passwords immediately. This will help to reduce the impact of any possible breaches in their accounts.
