Phishing Campaign Mimics Microsoft Teams AlertsResearchers: Fraudsters Target Office 365 Users to Harvest Credentials
Researchers at Abnormal Security have uncovered a phishing campaign that mimics the automated messages of the popular business communication platform Microsoft Teams in an attempt to harvest user’s Office 365 login credentials.
See Also: Respond to Fraud in Milliseconds
The use of Microsoft Teams has grown rapidly during the COVID-19 pandemic and shift to remote work, making it an attractive target for fraudsters.
"Teams users generated more than 5 billion meeting minutes in a single day … 69 organizations now have more than 100,000 users of Teams, and over 1,800 organizations have more than 10,000 users of Teams," Microsoft CEO Satya Nadella, said during the company's fourth-quarter financial earnings call in June.
The ongoing phishing campaign is believed to have targeted 15,000 to 50,000 Office 365 users so far, according to the Abnormal Security report.
"Because Microsoft Teams is an instant messaging service, recipients of this notification might be more apt to click on it so that they can respond quickly to whatever message they think they may have missed based on the notification," the Abnormal Security researchers note.
The phishing emails are sent using the display name: "There’s new activity in Teams" to make it look like an automated notification from the messaging platform. The fake message is designed to convince the potential victim that a member of their Team's community is trying to get in contact with them.
The reply option called "Reply In Teams" leads the victim to a fake Microsoft login page where user credentials are harvested, allowing the fraudsters to access to the account and gather more information, according to report.
"The link landing page also looks convincingly like a Microsoft login page with the start of the URL containing 'Microsftteams,' lending further credence," the Abnormal Security researchers note.
A similar phishing campaign discovered in May spoofed notification from Microsoft Teams to harvest credentials (see: Latest Phishing Campaign Spoofs Microsoft Teams Messages).
Other security analysts have noticed similar campaigns targeting at-home workers who are increasingly reliant on cloud-based services such as Zoom, Teams and Office 365.
In April, the U.S. Cybersecurity and Infrastructure Security Agency published an alert urging organizations to secure cloud-based collaboration services.
Other researchers have found vulnerabilities in Teams itself. Microsoft pushed out a patch in April for a bug that could allow an attacker to take over an organization's accounts through the use of a weaponized GIF image (see:Microsoft Patches Teams Vulnerability).