A convincing cyberattack that impersonates notifications from Microsoft Teams in order to steal the Office 365 credentials of employees is making the rounds, according to researchers. Two separate attacks have targeted as many as 50,000 different Teams users, according to findings from Abnormal Security.
The news comes as the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about Office 365 remote-work deployments. “CISA continues to see instances where entities are not implementing best security practices in regard to their O365 implementation, resulting in increased vulnerability to adversary attacks,” the agency said.
In one, employees receive an email that contains a link to a document on a domain used by an established email marketing provider to host static material used for campaigns. If recipients click the link, they’ll be presented with a button asking them to log in to Microsoft Teams – if that button is clicked, they’re taken to a malicious page which impersonates the Microsoft Office login page in order to steal their credentials.
“Attackers utilize numerous URL redirects in order to conceal the real URL used that hosts the attacks,” the firm’s researchers said in an analysis released on Friday. “This tactic is employed in an attempt to bypass malicious link detection used by email protection services.” For instance in one of the attacks, the actual sender email originates from a recently registered domain, “sharepointonline-irs.com,” which Abnormal Security pointed out is not associated to either Microsoft or the IRS – it’s hidden due to the redirects though, and doesn’t present an obvious red flag to targets.
In the second attack, the email link points to a YouTube page, from which users are redirected twice to finally land on another Microsoft login phishing site.
“These attackers crafted convincing emails that impersonate automated notification emails from Microsoft Teams,” according to the analysis. “The landing pages that host both attacks look identical to the real webpages, and the imagery used is copied from actual notifications and emails from this provider.”
Attackers can gain access to more than credentials for the specific service represented on the phishing pages, warned Abnormal Security: “Since Microsoft Teams is linked to Microsoft Office 365, the attacker may have access to other information available with the user’s Microsoft credentials via single-sign on.”
The researchers said that the campaigns are especially effective on mobile, where images take up most of the content on the screen and where it’s more difficult to vet URLs. But even on desktop, the attacks are well-crafted using existing legitimate imagery, and are thus quite convincing, according to the analysis.
“Given the current situation [where people are working from home], people have become accustomed to notifications from these collaboration software providers,” the researchers noted. “Because of this, the user might not further investigate the message and simply fall for this attack.”
Microsoft’s collaboration platforms, which along with others have seen one of the largest increases in users as a result of the shift to remote work in response to the current COVID-19 pandemic, have made cyber-headlines lately. Earlier this week, Microsoft fixed a subdomain takeover vulnerability in Teams that could have allowed an inside attacker to weaponize a single GIF image and use it to pilfer data from targeted systems and take over all of an organization’s Teams accounts.
Also this week, news came to light about a campaign called “PerSwaysion,” which took advantage of Microsoft’s Sway file-sharing offering and Office 365 to convincingly phish corporate executives. And, the aforementioned CISA alert cautioned IT teams against rushing their remote-work deployments for Office 365.
“Companies had to scramble to set up the tools and processes that allowed them to keep the lights on, so it’s understandable that organizations may have rushed into Office 365 and Teams deployments without thinking through every last security ramification,” said Ken Liao, vice president of cybersecurity strategy at Abnormal Security, via email. “Unfortunately, malicious actors are very good at exploiting chaos and confusion. The transition to remote work has created a fertile environment for attacks on all forms of communication and collaboration to infiltrate Office 365 and Teams environments. That’s why it’s critical for enterprises to be able to monitor and detect threats in both email and Teams environments.”
Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.
Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.