May 7, 2020

Beware of Fraudulent Microsoft Teams Alerts Designed to Steal Employees Passwords

A new phishing program aimed at stealing login credentials from workers by impersonating alerts from Microsoft Teams.

As a result of the COVID-19 pandemic scenario, many businesses have switched to full-time remote work, with attackers taking advantage of it.

Fake Microsoft Teams Alerts Attackers use crafted emails that tend to be automatic email updates coming from Microsoft Teams.

Once the user clicks in the email, they will be taken to the fake landing that impersonates the actual web pages of Microsoft Teams.

The campaign was detected by Abnormal Security, according to researchers, “the sender of email originates from a newly registered domain,” sharepointonline-irs.com, “which is not affiliated with either Microsoft or the IRS.”

Malicious Email

Attackers used multiple URL redirects to prevent malicious connection detection and conceal the original URL used to initiate the attack.

Researchers have found two such attacks that aim to steal employee login credentials

  1. In one such attack, the email contains a connection to a document containing an image that asks recipients to log in to the Microsoft team by clicking the image on the fake Microsoft Office login page.
  2. In another, a link to Youtube, redirected several times, and reached the final web page that impersonates the Microsoft login page.

If the target is the victim of the attacks, their login key is compromised, attackers can also have access to Microsoft Office 365 services. The assault targets more than 50,000 workers to seize login certificates.

Recently, Group-IB Threat Intelligence Community recorded that “more than 150 companies’ top executives are compromised through active targeted phishing attacks, as well as evidence regarding the creation of an Asian company’s corporate email account.” Last week, Microsoft patched a subdomain takeover vulnerability in Microsoft Teams that affects any user using Teams desktops or web browsers.

When the lockout implemented remote traffic has increased, attackers are taking advantage of the situation to steal corporate resources. Stay secure on the internet!

Leave a Reply

Your email address will not be published. Required fields are marked *