Beware of This Microsoft Teams Phishing Campaign

Many people trust the contacts in their Microsoft Teams profiles and may immediately click any link they receive from what they think is a trusted contact. Hackers can exploit this trust by developing profiles almost identical to departments within their targets’ employment framework. Using these compromised accounts, hackers can send malicious software and put your business at risk.

A new Microsoft Teams phishing campaign uses social engineering to manipulate users into downloading a malicious attachment.

What Is Phishing?

Hackers use phishing to commit credential theft. Once they identify a suitable target, they lure them into completing an online form that requests login information. However, more advanced phishing campaigns use trusted software networks of the targets’ company to get unauthorized access to data.

Employees using business networks often fail to recognize new phishing attempts since they look like legitimate messages. These phishing methods put a business’s entire network, including devices, websites, and software, at stake.

How To Spot the Microsoft Teams Phishing Campaign

The new Microsoft Teams phishing campaign begins with a message from an Office365 account that belongs to someone claiming to work in the business’s HR department. The phishing message from the bad actor contains a ZIP file entitled “Changes to the vacation schedule.” This SharePoint-hosted file may look like a PDF file but actually contains an LNK file that contains DarkGate malware.

How Does the Campaign Work?

When employees receive the Teams message, they often have no reason to believe it contains malicious content. However, a known threat actor called Sangria Tempest operates the campaign, likely hoping to get payment from a ransomware deployment or sell personal information on the dark web.

The cybercriminal group uses the TeamsPhisher tool, allowing Teams users to send links and files to people outside their established network. The malware itself contains a disguised VBS file.

Once a user downloads and opens the file, the malware can collect sensitive login details and other pertinent information from the device.

In some cases, malware deploys more malicious code if it discovers that the Sophos antivirus software doesn’t protect the attacked device. This extra code accesses the system memory and stores the malware into the system.

How To Protect Your Teams Network

You can apply several methods to protect your organization from the new Microsoft Teams phishing campaign:

• Employee education: Employees who are aware of current security threats can avoid interacting with them. We recommend training your staff about the campaign’s specifics so they stand a greater chance of protecting your business.
• External contact avoidance: You can disallow contact with all external organizations using allow-lists in Teams.
• Internal device usage: Businesses increasingly require their staff members to connect to sensitive business networks using organization-supplied devices. This decreases the potential for outside malware to access internal networks.
• Link scanning: Microsoft Defender can scan and inspect links for malware detection that’s part of Microsoft Teams phishing campaign and other attacks.