Abnormal Security Finds phishing emails Designed to Spoof Notification Messages from Microsoft Teams

• Attackers are exploiting the surge in the use of Microsoft Teams in an attempt to trap unsuspecting users, says Abnormal Security.

• Since Microsoft Teams is linked to Microsoft 365 and Office 365, any credentials stolen in the scam could be used to sign into other Microsoft accounts and services.

• The landing pages that host the phishing pages were created to look just like the real Microsoft pages.

Cybercriminals have been taking advantage of virtually every aspect of the coronavirus to try to increase business. Among other consequences, the need to quarantine and work from home has triggered a surge in demand for virtual meeting and video chatting apps, including the business-oriented Microsoft Teams. A new phishing campaign discovered by security provider Abnormal Security is exploiting the greater use of Teams as a way to hijack Microsoft account credentials.

The first campaign started on April 14 and went on for two days but hasn't been since since, according to Kenneth Laio, vice president of Cybersecurity Strategy at Abnormal Security. The second campaign began on April 29, lasted a few hours, and has not been recorded since then. The phishing emails were sent to Abnormal customers in such industries as energy, retail, and hospitality, Laio said. However, the attacks weren't targeted to any specific company or industry and, in fact, were designed in a generic way so they could be launched against anyone.

The landing pages that host the phishing pages were created to look just like the real Microsoft pages. The images were copied from actual Microsoft notifications and emails, according to Abnormal Security. Plus, the sender email comes from a domain called "sharepointonline-irs.com," which may look legitimate at first glance, but is not registered either by Microsoft or the IRS.

Learn more: THE TIME HAS COME TO BRING IN AI, MACHINE LEARNING AND AUTOMATION IN CYBERSECURITY.
 

We would advise organizations and their employees to double-check the sender name and address for messages or notifications coming from Microsoft Teams.

~ Kenneth Laio, vice president Abnormal Security

The images can be especially convincing on a mobile device where they take up most of the content on the screen. Further, users who are accustomed to notifications from Microsoft and other vendors might fail to investigate the messages and simply take the bait. Since Microsoft Teams is linked to Microsoft 365 and Office 365, any credentials stolen in the scam could be used to sign into other Microsoft accounts and services. To help organizations defend themselves and their employees from these Microsoft Teams phishing scams, Laio offers two pieces of advice.

The phishing emails were sent to Abnormal customers in such industries as energy, retail, and hospitality, However, the attacks weren't targeted to any specific company or industry.

~ Laio said

"We would advise organizations and their employees to double-check the sender name and address for messages or notifications coming from Microsoft Teams," Laio said. "For both campaigns, the sender names are innocuous ('chat content' and 'work flow'), but the email addresses that they are sent from have no relation to Microsoft, Microsoft Teams, or the organization itself.

"In addition, we would advise everyone to always double check the web page's URL before signing in. Attackers will often hide malicious links in redirects or host them on separate websites that can be reached by safe links. This allows them to bypass link scanning within emails by traditional email security solutions.

Learn more: CORONAVIRUS MALWARE ROUNDUP: WATCH OUT FOR THESE SCAMS.