Microsoft Teams         , a popular collaboration app, has become a prime target for phishing campaigns. Storm-0324         , a financially-motivated threat actor   , has been carrying out these campaigns since at least 2016. They have a history of distributing malware and ransomware and often mimic popular services like DocuSign and Quickbooks in their phishing emails. Recently, Storm-0324 has shifted its tactics to using phishing lures sent over Teams with malicious links leading to a malicious SharePoint-hosted file  . They are likely using a tool called TeamsPhisher to deliver phishing attachments . This activity started in July 2023 and is separate from the Midnight Blizzard social engineering campaigns .
Storm-0324 took advantage of an unpatched vulnerability in Teams , allowing them to exploit unsuspecting users and gain access to organizations. In response, Microsoft has implemented measures to enhance protection for Teams users . They have suspended identified accounts and tenants associated with fraudulent behavior and have rolled out enhancements to the Accept/Block experience in one-on-one chats within Teams . Additionally, Microsoft has implemented improved recognition of external users, restrictions on domain creation  , and notifications to tenant admins  .
To protect against these threats  , organizations are advised to secure user account settings, monitor Teams communications for malicious activity , and establish security protocols . Toggling off the ability for users to engage with external tenants can also help prevent attacks . Microsoft is committed to introducing additional measures to protect customers from phishing attacks . Users are advised to pay attention to email details and grammar to avoid falling victim to sophisticated campaigns . Microsoft warns of the ransomware attacks facilitated by Storm-0324’s phishing campaigns and provides steps to protect against these attacks. It is crucial to identify and remedy Storm-0324 activity to prevent more dangerous follow-on attacks . Microsoft has provided protection advice and hunting queries for enterprise defenders . They have also made improvements to defend against these threats, including suspending identified accounts and tenants associated with fraudulent behavior and enhancing the Accept/Block experience in one-on-one chats within Teams  . They have implemented new restrictions on domain creation and improved notifications to tenant admins .
Microsoft has announced plans to introduce new anti-phishing defenses for Teams users after identifying a threat actor targeting the platform . The threat actor      , known as Storm-0324      , has been sending Teams messages containing malicious links since July . They have been using a red-teaming tool called TeamsPhisher to automate the sending of malicious payloads to multiple Teams users’ inboxes . Storm-0324 is also associated with other threat groups and is known for using traffic distribution systems to evade detection . They spread JSSLoader malware , which is used by the ransomware gang FIN7 . Microsoft advises customers to restrict access for external collaboration and educate users about social engineering and credential phishing attacks . They have also suspended accounts associated with fraudulent behavior and implemented other security measures . The ongoing efforts by Microsoft to enhance protection and provide guidance to users and organizations are crucial in mitigating the risks posed by Storm-0324 and similar threat actors. It is important for users to remain vigilant and follow the recommended security protocols to safeguard their data and systems.