Nucleus Networks Blog

Phishing Lures through Microsoft Teams

Written by Nucleus Networks | Sep 21, 2023 6:55:52 PM

It’s a challenge to keep up with every type of phishing scam as new ones pop up every day. General awareness, however, remains important as threats evolve targeting professionals on new platforms and in more clever ways. In a campaign, first identified by Microsoft in July 2023, we learned of a scam whereby organizations are phished via Microsoft Teams; part of a wider trend of hackers to penetrate business communication apps. Here’s how it works and how to defend your business from it. 

How it Works 

This threat takes advantage of a publicly available open-source tool, TeamsPhisher, to phish organizations via Microsoft Teams undermining basic security controls in Teams chat. Phishing lures are sent with malicious links leading to a fake SharePoint-hosted file. These lures are identified by the Teams platform as “EXTERNAL” users if external access is enabled in the organization. 

Storm-0324: The Cybercriminal Group Behind these Attacks 

Microsoft has been tracking the activities of these threat actors as the workings of Storm-0324, known globally as TA543 and Sagrid; a financially motivated group that often uses email phishing tactics in the guise of invoice and payment lures to gain initial access. Storm-0324 is what is referred to as an Initial Access Broker (IAB); a threat actor that specializes in infiltrating computer systems and networks, that then sells that unauthorized access to other malicious actors to facilitate ransomware-as-a-service (RaaS). 

How to Protect your Business   

Secure your Microsoft 365 IT Environment with controls. Here are a few of the most important ones deployed to prevent this specific threat:    

  • Specify trusted Microsoft organizations: Define what external domains are allowed or blocked to chat and meet. 
  • Microsoft 365 Defender: Detects Storm-0324 activity to limit the impact of attacks.
  • Principle of Least Privilege: Is the principle that mandates that employees should have the minimum permissions necessary to complete their work.  

Security Awareness Training: Invest in ongoing Security Awareness Training to ensure employees are aware of social engineering attacks and how these threats work. Employees need to be cautious of all attachments and requests from external users.  

As Managed Services Provider, we work with your business to ensure that your settings are configured so that you can fully leverage Microsoft 365 and its security capabilities. We also focus on offering a multi-layered approach to security and can provide your business with more advanced protection against ransomware. For more information on security hardening, please contact us.    

Read more about this attack and how it works from Microsoft at: https://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/