Published on November 12th, 2019 📆 | 5248 Views ⚑0
CyberheistNews Vol 9 #46 [Heads-Up] Malicious Actors Want to Join Your Team!
Microsoft Teams has seen rapid adoption in the three years since it was released back in 2016, becoming by some estimates the second-most used business collaboration tool after Skype. Unsurprisingly, malicious actors have taken notice.
Over the course of 2019 we have seen a steady increase in the number of malicious emails spoofing Microsoft Teams email alerts and notifications. These phishing emails—reported to us by customers using the Phish Alert Button (PAB)—range from low rent trash that bears almost no resemblance to legitimate Teams emails to high-quality spoofs that are well-nigh indistinguishable from the real thing.
The majority of the spoofed Teams emails we've seen are fairly well-executed, and look to have been based directly on actual Teams emails that were fished out of the inboxes of compromised accounts at organizations using the Microsoft collaboration tool.
Content and format are nearly perfect in these malicious spoofs, leaving only the link itself to give away the ruse. Note the use of multiple subdomains in the URL above to draw users' eyes to the string "login.microsoftonline.com" which, for many users, will be effective enough to disguise the true destination of that link. Screenshot examples at the blog.
All bad guys are not created equal, though. Some appear to have a vague understanding of what Microsoft Teams is and how popular it has become among business organizations -- especially those what have fully embraced Office 365 and its ever-expanding suite of productivity tools. But these bottom-feeders don't necessarily have the knowledge base, motivation, or resources to do a proper spoof of Teams email notifications.
None of that is a barrier to going after Microsoft Teams users, though. Just sprinkle a few references to "teams" throughout the Subject: line and email body, use a trusted email service provider like Sendgrid to blast out your low rent spoofs, and you're in business. Screenshot examples at the blog.
If Microsoft can integrate Teams into its larger suite of productivity tools, who's to say the bad guys can't do the same thing? In this phish the bad guys simply took a fairly standard Office 365 credentials phish and spruced it up a bit by changing the sender name to "Microsoft Teams."
Coupled with the use of a Microsoft-y looking domain—"outlooksecure (dot) com"—in the money link, that just might be enough to persuade a few people in many to organizations to click the link and hand over their credentials to malicious actors. Screenshot example at the blog.
If you've rolled out Microsoft Teams in your organization, you would do well to wonder just how well your users and employees would handle the kinds of spoofed Microsoft Teams emails that are currently landing in inboxes. Would they bother to check the link? Would they notice that the Microsoft login page sitting in front of them is actually hosted on a Google cloud-based service like Appspot?
Then again, why just wonder?
New-school security awareness training can train your users to be on the alert for those kinds of "tells," then test their reactions to simulated phishing emails based on actual phishes used by real malicious actors in the wild.
It's the best means to ensure that the only ones managing your teams are your own people -- not confidence tricksters looking to muscle their way into your organization's network. Example screenshots here that you can use for phishing templates to send to your users:
For KnowBe4 customers, we have several ready-to-send phishing templates you can use to inoculate your users against attacks like this.