Microsoft Teams Phishing Attacks: Ransomware Group Shifts Tactics
Storm-0324 Leverages TeamsPhisher Open-Source Tool to Bypass File Restrictions.
Microsoft revealed a shift in tactics by an initial access broker known for its ties to ransomware groups. The threat actor is known as Storm-0324 and had formerly spread Sage and GandCrab ransomware. Storm-0324 recently moved from deploying ransomware to breaching corporate networks through Microsoft Teams phishing attacks.
More about the Teams Phishing Attacks
Microsoft stated that Storm-0324 started distributing malicious links across Teams. Further on, the unsuspecting victims are redirected to SharePoint-hosted files. This change of tactics is allegedly based on an open-source tool known as TeamsPhisher. Attackers use TeamsPhisher to bypass file restrictions for external users and send harmful attachments to Teams users.
Security researchers claim that Storm-0324 is exploiting a known vulnerability within Microsoft Teams. Allegedly, the company didn`t fix the flaw claiming that its risk level did not require immediate servicing.
The Russian state group APT29 exploited the same vulnerability to attack various organizations and government agencies worldwide. Reportedly, the APT29’s attacks were meant to steal victims’ credentials by fake multifactor authentication (MFA) prompts.
Microsoft`s Response to Reported Teams Phishing Attacks
Microsoft announced they have enhanced their security mechanisms:
Microsoft takes these phishing campaigns very seriously and has rolled out several improvements to better defend against these threats.
Consequently, the following measures are now in place:
- Microsoft suspended the identified accounts and tenants that are related to inauthentic or fraudulent behavior
- The company enforced enhancements to the Accept/Block experience in Teams` one-on-one chats. A Teams user will be able to see if a message comes from an external user and stop any interaction with a malicious actor.
- Microsoft enforced new restrictions on the creation of domains.
Microsoft is planning further security measures that are meant to protect customers from phishing attacks.
Additionally, Microsoft issued a series of safety recommendations for their users that include:
- Use Microsoft 365 Defender to detect Storm-0324 activity and limit its potential impact on networks,
- Apply the principle of least privilege,
- Apply credentials safety best practices,
- Enforce phishing-resistant authentication methods for users,
- Use advanced ransomware prevention measures.
Heimdal`s Safety Recommendations for Ransomware Prevention
Ransomware attacks continue to be a serious threat for companies and organizations. Here is a ransomware prevention measures checklist for Security Admins worldwide:
- Use end-to-end encryption,
- Use strong passwords,
- Never miss a patch,
- Back-up data regularly, on different platforms,
- Implement a zero-trust policy,
- Beware of phishing attempts. Train employees to identify a phishing email or another malicious message.
- Enforce network segmentation.