Microsoft Teams [1] [2] [3] [4] [5] [6] [7] [8] [9], a popular collaboration app, has become a prime target for phishing campaigns. Storm-0324 [1] [2] [3] [4] [5] [6] [7] [8] [9], a financially-motivated threat actor [5] [6] [7], has been carrying out these campaigns since at least 2016. They have a history of distributing malware and ransomware and often mimic popular services like DocuSign and Quickbooks in their phishing emails. Recently, Storm-0324 has shifted its tactics to using phishing lures sent over Teams with malicious links leading to a malicious SharePoint-hosted file [3] [4]. They are likely using a tool called TeamsPhisher to deliver phishing attachments [3]. This activity started in July 2023 and is separate from the Midnight Blizzard social engineering campaigns [2].


Storm-0324 took advantage of an unpatched vulnerability in Teams [5], allowing them to exploit unsuspecting users and gain access to organizations. In response, Microsoft has implemented measures to enhance protection for Teams users [3]. They have suspended identified accounts and tenants associated with fraudulent behavior and have rolled out enhancements to the Accept/Block experience in one-on-one chats within Teams [2]. Additionally, Microsoft has implemented improved recognition of external users, restrictions on domain creation [3] [4], and notifications to tenant admins [3] [4].

To protect against these threats [5] [9], organizations are advised to secure user account settings, monitor Teams communications for malicious activity [5], and establish security protocols [5]. Toggling off the ability for users to engage with external tenants can also help prevent attacks [5]. Microsoft is committed to introducing additional measures to protect customers from phishing attacks [2]. Users are advised to pay attention to email details and grammar to avoid falling victim to sophisticated campaigns [9]. Microsoft warns of the ransomware attacks facilitated by Storm-0324’s phishing campaigns and provides steps to protect against these attacks. It is crucial to identify and remedy Storm-0324 activity to prevent more dangerous follow-on attacks [4]. Microsoft has provided protection advice and hunting queries for enterprise defenders [4]. They have also made improvements to defend against these threats, including suspending identified accounts and tenants associated with fraudulent behavior and enhancing the Accept/Block experience in one-on-one chats within Teams [2] [4]. They have implemented new restrictions on domain creation and improved notifications to tenant admins [4].


Microsoft has announced plans to introduce new anti-phishing defenses for Teams users after identifying a threat actor targeting the platform [8]. The threat actor [2] [3] [4] [6] [8] [9], known as Storm-0324 [2] [4] [6] [7] [8] [9], has been sending Teams messages containing malicious links since July [8]. They have been using a red-teaming tool called TeamsPhisher to automate the sending of malicious payloads to multiple Teams users’ inboxes [8]. Storm-0324 is also associated with other threat groups and is known for using traffic distribution systems to evade detection [8]. They spread JSSLoader malware [8], which is used by the ransomware gang FIN7 [8]. Microsoft advises customers to restrict access for external collaboration and educate users about social engineering and credential phishing attacks [8]. They have also suspended accounts associated with fraudulent behavior and implemented other security measures [8]. The ongoing efforts by Microsoft to enhance protection and provide guidance to users and organizations are crucial in mitigating the risks posed by Storm-0324 and similar threat actors. It is important for users to remain vigilant and follow the recommended security protocols to safeguard their data and systems.