article featured image


Microsoft revealed a shift in tactics by an initial access broker known for its ties to ransomware groups. The threat actor is known as Storm-0324 and had formerly spread Sage and GandCrab ransomware. Storm-0324 recently moved from deploying ransomware to breaching corporate networks through Microsoft Teams phishing attacks.

More about the Teams Phishing Attacks

Microsoft stated that Storm-0324 started distributing malicious links across Teams. Further on, the unsuspecting victims are redirected to SharePoint-hosted files. This change of tactics is allegedly based on an open-source tool known as TeamsPhisher. Attackers use TeamsPhisher to bypass file restrictions for external users and send harmful attachments to Teams users.

Security researchers claim that Storm-0324 is exploiting a known vulnerability within Microsoft Teams. Allegedly, the company didn`t fix the flaw claiming that its risk level did not require immediate servicing.

The Russian state group APT29 exploited the same vulnerability to attack various organizations and government agencies worldwide. Reportedly, the APT29’s attacks were meant to steal victims’ credentials by fake multifactor authentication (MFA) prompts.

Microsoft`s Response to Reported Teams Phishing Attacks

Microsoft announced they have enhanced their security mechanisms:

Microsoft takes these phishing campaigns very seriously and has rolled out several improvements to better defend against these threats.

Consequently, the following measures are now in place:

  • Microsoft suspended the identified accounts and tenants that are related to inauthentic or fraudulent behavior
  • The company enforced enhancements to the Accept/Block experience in Teams` one-on-one chats. A Teams user will be able to see if a message comes from an external user and stop any interaction with a malicious actor.
  • Microsoft enforced new restrictions on the creation of domains.

Microsoft is planning further security measures that are meant to protect customers from phishing attacks.

Additionally, Microsoft issued a series of safety recommendations for their users that include:

Heimdal`s Safety Recommendations for Ransomware Prevention

Ransomware attacks continue to be a serious threat for companies and organizations. Here is a ransomware prevention measures checklist for Security Admins worldwide:

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

Leave a Reply

Your email address will not be published. Required fields are marked *