The security company Abnormal Security has identified a phishing campaign targeting users of Microsoft Teams which aims to steal the credentials of theOffice 365 ecosystem of business users. What Abnormal Security found was only the latest episode in a wide range of cyber security threats that arose following the spread of the pandemic COVID-19 and the consequent social distancing measures that have led a great deal of the workforce around the world to have to adopt smart working dynamics, with the establishment of new habits.
It would be a particularly effective attack because it is conducted in a very rigorous way, through emails and landing pages carefully created to be identical in fact to legitimate counterparts. Researchers found the use of images copied from the original ones used by Microsoft and the use of a series of recently registered URLs that try to trick the recipient of the phishing email. For example, one of the domains used contains the words SharePoint and IRS, to give the impression of authenticity and to make people believe that the email is part of the official Microsoft Teams notifications.
Microsoft Teams credentials are connected to Office 365: maximum attention!
To lead the victim to the counterfeit login page, the attackers then put in place several instances of redirection so as to try to bypass the link detection countermeasures used by the email protection systems. In an example of an attack, an email keeps a link to a document hosted on a domain used by a well-known email marketing service provider: inside this document there is an image that pushes the victim to log in to Microsoft Teams but once you click on the image, you are led to one hacked page that mimics the Office 365 login page. In another example, however, the redirection hosted on YouTube, and through two further steps leads to the final page that shows another fake login.
If you fall into the trap of the attackers, your account credentials would be compromised and, since Microsoft Teams connected to Office 365, the attackers could have access to other information and resources available with the user's credentials.
The attack is, as mentioned, effective due to the accuracy with which the misleading materials are created, and also for the particular period we are experiencing: with the growth of smart working practices we become a little less attentive to the requests for login, lowering your guard and raising the risk of vulnerability.
