Skip to content
CybersecurityTrainingCollaborationManagementEmailNetworkSupportTechnology

Soaring Microsoft Teams Cyber Assaults Explored: Detailed Insights into Recent Phishing Perils

delve into the surging prevalence of phishing assaults on Microsoft Teams; this in-depth investigation examines recent menaces, their tactics, and potent safeguards to secure your team's communication.

 and  Administrator
3 min read
Delve into the growing occurrence of phishing assaults on Microsoft Teams. This in-depth...
Delve into the growing occurrence of phishing assaults on Microsoft Teams. This in-depth examination scrutinizes recent menaces, the techniques they employ, and reliable tactics to safeguard your team's communications.

Unveiling the Trend: Teams Phishing on the Rise

Soaring Microsoft Teams Cyber Assaults Explored: Detailed Insights into Recent Phishing Perils

In the present tech landscape, cyber threats have spiked, with a significant increase in phishing attacks focusing on Microsoft Teams. These attacks exploit the platform's features while abusing Remote Monitoring and Management (RMM) tools including Quick Assist, AnyDesk, and TeamViewer, making collaboration tools a risky new frontier for corporate security.

Deep Dive into Teams Phishing

Modern Teams phishing tactics are alarming. Attackers often personality impersonate IT help desks in one-on-one conversations, initiated from attacker-controlled tenants. These impersonations are further solidified by unwarranted Teams calls and meeting invitations, where attackers distribute malicious URLs or attachments through the chat feature.

The phishing process usually commences with a spam assault, inundating potential victims' mailboxes with over 1,000 non-malicious emails per hour. This spam barrage sets the stage for the attackers to pose as help desk personnel claiming to assist with spam issues. The attackers focus on a few users in each tenant, allowing for a more personalized approach and minimizing suspicion.

Red Flags for Teams Phishing Attempts

Organizations must be on high alert for potential indicators of ongoing Teams phishing attempts:

  • Suspicious Quick Assist Behavior: Check for odd Quick Assist launch times or access patterns as this could point to unauthorized access.
  • RMM Tool Activity: Monitor remote access tools like AnyDesk, TeamViewer, or other RMM tools to verify if they're being used outside of standard IT support procedures.
  • Anomalous Location Access: Verify the location from where remote management software is being accessed. Deviations from the typical location might indicate unauthorized access.
  • NetSupport Manager Activity: Identify any uncommon usage or installations of this tool, often linked to remote access intrusion.

A Case Study: Black Basta

The Black Basta ransomware operation has escalated its tactics, adopting Microsoft Teams for social engineering. Active since April 2022, Black Basta has launched hundreds of attacks globally against corporations.

Black Basta Attack Methodology

  1. Email Blitz: Black Basta floods employees with non-malicious emails, including announcements and sign-up confirmations. This barrage intentions to create a state of normalcy, causing employees to adopt a lax approach.
  2. Impersonation via Teams: Once employees are accustomed to the emails, Black Basta associates reach out to them via Teams, impersonating IT support personnel. They create tenant accounts mirroring help desk services, often naming them with strings like securityadminhelper.onmicrosoft.com.
  3. Crafted User Profiles: Attackers set the display names to include "Help Desk," often utilizing whitespace characters to center the names in the chat interface. This minor trick helps perpetuate the illusion of authenticity.
  4. QR Code Deception: In some cases, Black Basta sends QR codes through chats, directing victims to potentially hazardous websites.
  5. Exploitation of Remote Access Tools: With the help of victims, attackers deploy remote access tools such as AnyDesk or launch Windows Quick Assist. Once access is granted, attackers deploy various payloads, including malicious files.
  6. Lateral Movement and Ransomware Deployment: With remote access established, attackers can move laterally within the network, escalate privileges, exfiltrate data, and ultimately deploy ransomware.

Strategies for Organizations

To counteract the growing threat of Teams phishing, organizations need to implement multiple security measures:

  1. Limit External User Communications: Restrict external user communications in Microsoft Teams. Enable communication only from verified, trustworthy domains to minimize exposure. Adjust email security settings for more stringent spam filtering.
  2. Enable Comprehensive Logging: Enable logging for all Teams interactions, especially for chat creation events. This helps in detecting suspicious patterns that might signal phishing attempts.
  3. User Education and Awareness: Conduct regular training sessions to educate employees about phishing attempts and the importance of verifying unexpected communication from unfamiliar sources.
  4. Implement Multi-Factor Authentication (MFA): Enforce MFA for all accounts to increase security. This step reduces the risk of unauthorized access even if login credentials are compromised.
  5. Regular Security Audits: Carry out regular assessments of security protocols and incident response plans. This proactive approach helps organizations stay ahead of evolving cyber threats.
  6. In the current tech landscape, where cyber threats have surged, it's crucial for corporations to be vigilant about monitoring Remote Monitoring and Management (RMM) tools such as Quick Assist, AnyDesk, and TeamViewer, as they are increasingly being exploited in phishing attacks targeting Microsoft Teams.
  7. Modern phishing strategies on Microsoft Teams are disconcerting, with attackers often posing as IT help desks in one-on-one conversations initiated from attacker-controlled tenants, sending unwarranted Teams calls and meeting invitations, and distributing malicious URLs or attachments through the chat feature.
  8. A usual phishing process entails a spam attack, with thousands of non-malicious emails sent per hour to potential victims' mailboxes, which sets the stage for attackers to pose as help desk personnel claiming to assist with spam issues.
  9. Organizations should take note of potential indicators of ongoing Teams phishing attempts, including suspicious Quick Assist behavior, RMM tool activity, anomalous location access, and NetSupport Manager activity.
  10. The Black Basta ransomware operation has begun using Microsoft Teams for social engineering, flooding employees with non-malicious emails before impersonating IT support personnel via Teams, deploying remote access tools, and ultimately deploying ransomware.
  11. To combat the growing threat of Teams phishing, organizations must limit external user communications, enable comprehensive logging, educate employees, implement multi-factor authentication, and perform regular security audits.

Read also:

    Related

    Latest