Microsoft has implemented new anti-phishing measures for its Teams video conferencing customers to combat the growing threat of phishing attacks [9]. The company aims to enhance the security of Microsoft Teams and protect users from phishing attacks and other malicious activities [9].
Description
Microsoft 365 Defender can be used to detect and limit the impact of Storm-0324 [9], a financially motivated threat actor also associated with the ransomware group Sangria Tempest. Storm-0324 has been active since 2016 and acts as a distributor for other attackers, primarily distributing JSSLoader which leads to dangerous follow-on attacks like ransomware [1]. Their attacks typically involve emails related to invoices and payments [6], mimicking services like DocuSign and Quickbooks [6]. In July 2023 [1] [5] [8], a new campaign by Storm-0324 was observed, utilizing a tool called TeamsPhisher to send phishing lures over MS Teams [1]. Microsoft is particularly concerned about ransomware attacks facilitated by these phishing campaigns [6]. They recommend using the principle of least privilege and following other company recommendations to limit the impact of these attacks [6]. Microsoft Threat Intelligence has provided steps to protect against these types of attacks [6], including restricting external communications [1], restricting device access [1], user education and awareness [1], safe links scanning [1], and access management [1]. It is important for users to pay attention to email details and the grammar and layout of the content to avoid falling victim to sophisticated campaigns [6]. Microsoft also recommends organizations using Teams to deploy phishing-resistant MFA methods to mitigate the risk of this type of attack [3]. These measures collectively aim to enhance the security of Microsoft Teams and protect users from the evolving threat landscape [9].
Microsoft has issued a warning about a new phishing campaign called Storm-0324 [4] [7], also known as TA543 and Sagrid [4] [7]. This campaign involves using Microsoft Teams messages as lures to infiltrate corporate networks [4]. The phishing lures are sent over Teams with malicious links leading to a malicious ZIP file hosted on SharePoint [4]. The attackers are leveraging an open-source tool called TeamsPhisher to attach files to messages sent to external tenants [4]. Microsoft emphasizes that identifying and remediating Storm-0324 activity can prevent more dangerous follow-on attacks like ransomware [4]. They have also implemented enhancements to the Accept/Block experience in one-on-one chats within Teams and introduced new restrictions on domain creation within tenants [8]. Microsoft will continue to introduce measures to protect customers from phishing attacks [8].
Additionally, Storm-0324 [1] [2] [3] [4] [5] [6] [7] [8] [9], previously associated with ransomware attacks [2], has shifted tactics to target corporate networks through Microsoft Teams phishing attacks [2]. Storm-0324 is using an open-source tool called TeamsPhisher to bypass file restrictions and send harmful attachments to Teams users [2]. This change in tactics is believed to be based on a known vulnerability within Microsoft Teams [2], which the company has not yet fixed [2]. The Russian state group APT29 has also exploited this vulnerability for attacks aimed at stealing victims’ credentials through fake multifactor authentication prompts [2].
Conclusion
Ransomware attacks have surged in 2023 [7], emphasizing the importance of robust cybersecurity practices [7]. Microsoft’s implementation of new anti-phishing measures for Teams video conferencing customers is a crucial step in enhancing the security of Microsoft Teams and protecting users from phishing attacks. By detecting and limiting the impact of Storm-0324 and other threats, Microsoft aims to prevent dangerous follow-on attacks like ransomware [1]. The company’s ongoing efforts to improve the Accept/Block experience in Teams and introduce restrictions on domain creation demonstrate their commitment to customer protection. However, the shift in tactics by Storm-0324 highlights the need for Microsoft to address the known vulnerability within Teams to further mitigate the risk of phishing attacks. As ransomware attacks continue to pose a significant threat, it is essential for organizations and users to prioritize robust cybersecurity practices to safeguard their data and networks.
References
[1] https://www.infosecurity-magazine.com/news/microsoft-teams-phishing-campaign/
[2] https://heimdalsecurity.com/blog/teams-phishing-attacks/
[3] https://duo.com/decipher/microsoft-warns-of-teams-based-phishing-campaign
[4] https://thehackernews.com/2023/09/microsoft-warns-of-new-phishing.html
[5] https://www.helpnetsecurity.com/2023/09/13/ransomware-microsoft-teams-phishing/
[6] https://www.techradar.com/pro/security/microsoft-teams-warns-of-another-dangerous-phishing-attack-spreading-ransomware
[7] https://cybermaterial.com/microsoft-alerts-on-storm-0324-phishing/
[8] https://www.computerweekly.com/news/366552053/Storm-0324-gathers-over-Microsoft-Teams
[9] https://www.onmsft.com/news/microsoft-takes-action-to-combat-phishing-attacks-by-storm-0324-on-teams-users/