Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

[Article] Microsoft Teams Impersonation Attacks flood inboxes to Phish for Credentials


Jimi Wikman
 Share

Recommended Posts

  • Owner

In the wake of Covid-19 and the increased need for communication for people working from home it comes as no surprise that Microsoft Teams are targeted by malicious people. This week we see both CISA and Abnormal security reporting on targeted phishing campaigns that have affected more than 50.000 users so far.

With so many starting to work from home due to the Covid-19 situation invites to different Microsoft Teams are very common. This is something that malicious people have started to take advantage of. Since many organizations are still a bit new to the situation of many employees working from home, this also mean that security is not always up to par with the situation.

Quote

“CISA continues to see instances where entities are not implementing best security practices in regard to their O365 implementation, resulting in increased vulnerability to adversary attacks”
- U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA)

The tactic is rather simple, but sadly also effective. One example is that a mail that seems legit are sent out with a link to a document on a Microsoft Team. If the link is clicked the user is asked to login and if that button is clicked, they’re taken to a malicious page which convincingly impersonates the Microsoft Office login page in order to steal their credentials

Another example include an email link that points to a YouTube page.  From there the users are redirected twice to finally land on another Microsoft Office login phishing site which convincingly impersonates the Microsoft Office login page.

Quote

"In this attack, attackers are impersonating a notification from Microsoft Teams in order to steal the credentials of employees. Microsoft Teams has seen one of the largest increase in users as a result of the shift to remote work in response to the current COVID-19 pandemic."
- Abnormal Security

This is even more effective on mobile according to the articles. This is because the images take up most of the space and because domain links are more difficult to see and therefore identify.  These phishing attempts are however very convincing even on desktop, which makes it more likely that someone will get caught in the phishers net.

As Microsoft Teams are integrated with Office 365 single sign on it means that if compromised the phisher will have access to other, possibly much more damaging, areas.  This is not the only issues facing office 365 users however and Sway got a bit of heat earlier this week as well.

Microsoft is not being idle however and this week they patched a nasty subdomain takeover vulnerability in Teams that could have allowed an inside attacker to weaponize a single GIF image and use it to pilfer data from targeted systems and take over all of an organization’s Teams accounts.

As always, be careful with email links and make sure you vet the urls carefully before submitting any user information online.


View full blog article

Link to comment
Share on other sites

  • Replies 0
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Similar Content

    • By Jimi Wikman
      This step-by-step tutorial to show you 8 new features in Microsoft Teams and Outlook. These new Teams features integration nicely with Microsoft's other core collaboration and communication tool, Microsoft Outlook. These include many Microsoft Teams Meetings and Outlook integration features, and a few other bonus features.
      📝 Table of contents
      0:00 Introduction 0:11 Meet Now from Outlook Desktop Teams 0:37 Meeting Options in Outlook Desktop 1:14 Set to default to Teams meetings in Outlook Desktop 1:53 Drag attachment from Outlook to Teams Files 2:20 Reply to Teams Outlook message right in Outlook web 2:46 Set to default to Teams meetings in Outlook web 3:34 Launch Teams from Outlook web Chat button 3:44 Various ways to launch a Teams meeting from Outlook web
    • By Jimi Wikman
      A new report from the security company RiskIQ inform of a new phishing kit that use JavaScript to manipulate the DOM, which allows for the script to dynamically alter the visible content and HTML form data within a page without user interaction.  This Phishing kit,  called LogoKit has seen a significant upswing in usage over the last month.
      Phishing has been on the rise lately, following the increased usage of data communication in the wake of COVID-19. This new phishing kit seem to have attracted attention lately due to its flexibility and very fast application compared to building websites manually  as is the common practice.
      This is both interesting and scary as it allows for very fast and dynamic application for bad elements and since it looks quite real and have your email already filled in, chances are that a lot of people will fall for this. Fortunately you often can see in the URL that something is not right. In LogoKit you can often see your email in the url, which look something like this:
      phishingpage[.]site/login.html#victim@company.com Sadly this is not a sure way to detect  phishing attack as there are other ways to forward data, but if you see this then at least you know to look at the page you entered a bit more carefully.
      LogoKit has seen a big increase in usage in the last month with over 700 unique domains running it. Targeted services range from generic login portals to false SharePoint portals, Adobe Document Cloud, OneDrive, Office 365, and interestingly enough Cryptocurrency exchanges. So be alert (as always) when accessing your external cloud services and portals.
       
      RiskIQ have concluded that this is a threat on the rise due to it's simplicity and ease of use.
       

      View full blog article
    • By Jimi Wikman
      A new report from the security company RiskIQ inform of a new phishing kit that use JavaScript to manipulate the DOM, which allows for the script to dynamically alter the visible content and HTML form data within a page without user interaction.  This Phishing kit,  called LogoKit has seen a significant upswing in usage over the last month.
      Phishing has been on the rise lately, following the increased usage of data communication in the wake of COVID-19. This new phishing kit seem to have attracted attention lately due to its flexibility and very fast application compared to building websites manually  as is the common practice.
      This is both interesting and scary as it allows for very fast and dynamic application for bad elements and since it looks quite real and have your email already filled in, chances are that a lot of people will fall for this. Fortunately you often can see in the URL that something is not right. In LogoKit you can often see your email in the url, which look something like this:
      phishingpage[.]site/login.html#victim@company.com Sadly this is not a sure way to detect  phishing attack as there are other ways to forward data, but if you see this then at least you know to look at the page you entered a bit more carefully.
      LogoKit has seen a big increase in usage in the last month with over 700 unique domains running it. Targeted services range from generic login portals to false SharePoint portals, Adobe Document Cloud, OneDrive, Office 365, and interestingly enough Cryptocurrency exchanges. So be alert (as always) when accessing your external cloud services and portals.
       
      RiskIQ have concluded that this is a threat on the rise due to it's simplicity and ease of use.
       
    • By Jimi Wikman
      Today on January 15 Microsoft will start  pushing the new Edge browser based on Chromium to Windows 10 users. It will be released to both home and pro windows 10 users. With this we will see a more dominant position for Chromium for web browsers, but we will also get a less cluttered and frustrating browser landscape.
      While reports of the new Chromium based Edge browser have been positive it remain to see what the actual response will be once it become available to the general public. I have a feeling it will be a positive response, especially with the possibility to use Chrome extensions now that the two browser share the same base.
      From a developer and test perspective this should be a great thing as it is most likely one less browser to worry about. It should be easier to develop with out the curse of IE that has plagued us since early 2000. It should also lead to faster support for new development features with less code bases to wait for full support.
      Since Edge now is downloadable also for macOS I will download it later and give it a go. If you want to download it and test it you can do so for Windows, macOS, iOS and Android. If you are on Windows 10 then you can just wait for the windows update to push it to your system, Just be aware that there are some key features still missing, like the browser history and extension sync between devices and the new feature Microsoft call Collections.
      It seems only Business customers can block this update. Microsoft posted about this ina blog post and have released a "blocker toolkit" that is intended for organizations who would like to block the automatic delivery of the Chromium-based Microsoft Edge.
      Overall I think this is a great thing and I keep getting impressed by the way Microsoft has reinvented themselves in a positive way since the "Steve Ballmer Era".
      I will get back to this once I have had the chance to test the new Chromium based Edge browser from Microsoft.
    • By Jimi Wikman
      Today on January 15 Microsoft will start  pushing the new Edge browser based on Chromium to Windows 10 users. It will be released to both home and pro windows 10 users. With this we will see a more dominant position for Chromium for web browsers, but we will also get a less cluttered and frustrating browser landscape.
      While reports of the new Chromium based Edge browser have been positive it remain to see what the actual response will be once it become available to the general public. I have a feeling it will be a positive response, especially with the possibility to use Chrome extensions now that the two browser share the same base.
      From a developer and test perspective this should be a great thing as it is most likely one less browser to worry about. It should be easier to develop with out the curse of IE that has plagued us since early 2000. It should also lead to faster support for new development features with less code bases to wait for full support.
      Since Edge now is downloadable also for macOS I will download it later and give it a go. If you want to download it and test it you can do so for Windows, macOS, iOS and Android. If you are on Windows 10 then you can just wait for the windows update to push it to your system, Just be aware that there are some key features still missing, like the browser history and extension sync between devices and the new feature Microsoft call Collections.
      It seems only Business customers can block this update. Microsoft posted about this ina blog post and have released a "blocker toolkit" that is intended for organizations who would like to block the automatic delivery of the Chromium-based Microsoft Edge.
      Overall I think this is a great thing and I keep getting impressed by the way Microsoft has reinvented themselves in a positive way since the "Steve Ballmer Era".
      I will get back to this once I have had the chance to test the new Chromium based Edge browser from Microsoft.

      View full blog article

×
×
  • Create New...