In the wake of Covid-19 and the increased need for communication for people working from home it comes as no surprise that Microsoft Teams are targeted by malicious people. This week we see both CISA and Abnormal security reporting on targeted phishing campaigns that have affected more than 50.000 users so far.
With so many starting to work from home due to the Covid-19 situation invites to different Microsoft Teams are very common. This is something that malicious people have started to take advantage of. Since many organizations are still a bit new to the situation of many employees working from home, this also mean that security is not always up to par with the situation.
“CISA continues to see instances where entities are not implementing best security practices in regard to their O365 implementation, resulting in increased vulnerability to adversary attacks”
- U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA)
The tactic is rather simple, but sadly also effective. One example is that a mail that seems legit are sent out with a link to a document on a Microsoft Team. If the link is clicked the user is asked to login and if that button is clicked, they’re taken to a malicious page which convincingly impersonates the Microsoft Office login page in order to steal their credentials
Another example include an email link that points to a YouTube page. From there the users are redirected twice to finally land on another Microsoft Office login phishing site which convincingly impersonates the Microsoft Office login page.
"In this attack, attackers are impersonating a notification from Microsoft Teams in order to steal the credentials of employees. Microsoft Teams has seen one of the largest increase in users as a result of the shift to remote work in response to the current COVID-19 pandemic."
- Abnormal Security
This is even more effective on mobile according to the articles. This is because the images take up most of the space and because domain links are more difficult to see and therefore identify. These phishing attempts are however very convincing even on desktop, which makes it more likely that someone will get caught in the phishers net.
As Microsoft Teams are integrated with Office 365 single sign on it means that if compromised the phisher will have access to other, possibly much more damaging, areas. This is not the only issues facing office 365 users however and Sway got a bit of heat earlier this week as well.
Microsoft is not being idle however and this week they patched a nasty subdomain takeover vulnerability in Teams that could have allowed an inside attacker to weaponize a single GIF image and use it to pilfer data from targeted systems and take over all of an organization’s Teams accounts.
As always, be careful with email links and make sure you vet the urls carefully before submitting any user information online.