Abnormal Security Finds phishing emails Designed to Spoof Notification Messages from Microsoft Teams

Microsoft | May 04, 2020

Abnormal Security Finds phishing emails Designed to Spoof Notification Messages from Microsoft Teams
  • Attackers are exploiting the surge in the use of Microsoft Teams in an attempt to trap unsuspecting users, says Abnormal Security.

  • Since Microsoft Teams is linked to Microsoft 365 and Office 365, any credentials stolen in the scam could be used to sign into other Microsoft accounts and services.

  • The landing pages that host the phishing pages were created to look just like the real Microsoft pages.


Cybercriminals have been taking advantage of virtually every aspect of the coronavirus to try to increase business. Among other consequences, the need to quarantine and work from home has triggered a surge in demand for virtual meeting and video chatting apps, including the business-oriented Microsoft Teams. A new phishing campaign discovered by security provider Abnormal Security is exploiting the greater use of Teams as a way to hijack Microsoft account credentials.

The first campaign started on April 14 and went on for two days but hasn't been since since, according to Kenneth Laio, vice president of Cybersecurity Strategy at Abnormal Security. The second campaign began on April 29, lasted a few hours, and has not been recorded since then. The phishing emails were sent to Abnormal customers in such industries as energy, retail, and hospitality, Laio said. However, the attacks weren't targeted to any specific company or industry and, in fact, were designed in a generic way so they could be launched against anyone.

The landing pages that host the phishing pages were created to look just like the real Microsoft pages. The images were copied from actual Microsoft notifications and emails, according to Abnormal Security. Plus, the sender email comes from a domain called "sharepointonline-irs.com," which may look legitimate at first glance, but is not registered either by Microsoft or the IRS.


Learn more: THE TIME HAS COME TO BRING IN AI, MACHINE LEARNING AND AUTOMATION IN CYBERSECURITY.
 

We would advise organizations and their employees to double-check the sender name and address for messages or notifications coming from Microsoft Teams.

~ Kenneth Laio, vice president Abnormal Security


The images can be especially convincing on a mobile device where they take up most of the content on the screen. Further, users who are accustomed to notifications from Microsoft and other vendors might fail to investigate the messages and simply take the bait. Since Microsoft Teams is linked to Microsoft 365 and Office 365, any credentials stolen in the scam could be used to sign into other Microsoft accounts and services. To help organizations defend themselves and their employees from these Microsoft Teams phishing scams, Laio offers two pieces of advice.

The phishing emails were sent to Abnormal customers in such industries as energy, retail, and hospitality, However, the attacks weren't targeted to any specific company or industry.

~ Laio said


"We would advise organizations and their employees to double-check the sender name and address for messages or notifications coming from Microsoft Teams," Laio said. "For both campaigns, the sender names are innocuous ('chat content' and 'work flow'), but the email addresses that they are sent from have no relation to Microsoft, Microsoft Teams, or the organization itself.


"In addition, we would advise everyone to always double check the web page's URL before signing in. Attackers will often hide malicious links in redirects or host them on separate websites that can be reached by safe links. This allows them to bypass link scanning within emails by traditional email security solutions.


Learn more: CORONAVIRUS MALWARE ROUNDUP: WATCH OUT FOR THESE SCAMS.
 

v

Spotlight

The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice.

Related News

DATA SECURITY

New CyberCube Scenarios Aid the Cyber Planning of Lloyd's Syndicates

businesswire | January 21, 2021

CyberCube has refreshed its information driven insightful programming to flawlessly empower guarantors to evaluate misfortunes to situations that Lloyd's has given to partners for the forthcoming March information assortment cutoff time. These situations are utilized to answer to Lloyd's on how their arrangement of business would be influenced by major digital occasions. CyberCube has presented the three situations for practical digital fiascos as a component of its Portfolio Manager item, which is utilized by hazard transporters. The three situations, which CyberCube planned related to Lloyd's Underwriting group, Lloyd's market specialists and Guy Carpenter, are: - a cloud blackout - a force or foundation blackout - a significant malware assault The Lloyd's Market Association's Cyber Risk Strategy Group has additionally been vigorously engaged with building up the situations in the course of recent months. By dissecting how their arrangement of protection chances are influenced by these situations, the Lloyd's market can survey each coordinate's monetary flexibility and that of the market in general. The situations additionally uncover the most cutting-edge danger scene and related digital dangers that cause critical gatherings of misfortunes. The three digital situations, which will in future be remembered for Lloyd's formal Realistic Disaster Scenario (RDS) structure, will assume a significant part in organizations' business arranging measures. They mark the market's most complex digital examination exercise to date. Pascal Millaire, CyberCube’s CEO, said: “Lloyd’s syndicates have long been leaders in the global cyber insurance market and so it is no surprise that the Lloyd’s market is also taking a leadership role amongst regulators in thoughtfully measuring cyber exposure accumulation. We’re thrilled to be able to help Lloyd’s syndicates with this exercise using our platform.” Kirsten Mitchell-Wallace, Lloyd’s Head of Portfolio Risk Management, said: “The Lloyd’s market is a global leader in cyber insurance so understanding and controlling exposure to this class of business is critical. Cyber is a rapidly evolving risk that demands scrutiny at both syndicate and market level: the use of scenarios helps Lloyd’s to achieve this.” Siobhan O’Brien, Managing Director and Head of Guy Carpenter’s International Cyber Centre of Excellence, commented: “This is a very important piece of work for the broader RDS framework. The findings of the study will prove valuable not only for Lloyd’s syndicates but also for the wider insurance industry in helping to address some of the most challenging aspects of cyber risk that impact multiple lines of insurance.” CyberCube's Portfolio Manager is a digital danger fiasco model that permits guarantors to see how their book of business would be influenced by a progression of digital dangers. The model has not been closed down by Lloyd's yet is broadly utilized on the lookout. Deviations should be accounted for to Lloyd's and any inquiries with respect to the assortment time frame (January 8 to March 31) ought to be tended to in the main example to Lloyd's. About CyberCube CyberCube delivers the world’s leading cyber risk analytics for the insurance industry. With best-in-class data access and advanced multi-disciplinary analytics, the company’s cloud-based platform helps insurance organizations make better decisions when placing insurance, underwriting cyber risk and managing cyber risk aggregation. CyberCube’s enterprise intelligence layer provides insights on millions of companies globally and includes modelling on thousands of points of technology failure. The CyberCube platform was established in 2015 within Symantec and now operates as a standalone company exclusively focused on the insurance industry, with access to an unparalleled ecosystem of data partners and backing from ForgePoint Capital, HSCM Bermuda, MTech Capital and individuals from Stone Point Capital.

Read More

Work-From-Home Cyber Security Risks: Three Ways to Protect Your Network

prnewswire | August 26, 2020

Responding to the rapid increase in work-from-home cyber security incidents at small and midsized businesses (SMBs), DIGIGUARD is now focusing its Cyber Threat Protection Services on remote workforce IT security. "Managing and monitoring work-from-home (WFH) employees includes cybersecurity risk management. Controlling network access helps protect valuable business and customer data from cybercriminals," said DIGIGUARD's Harvey Yan. At a minimum, Yan urges SMBs do three things: Secure and update network perimeter defenses along with endpoints that access the network such as computers, laptops and mobile phones.

Read More

Cybint Launches Remote Version of its Renowned Accelerated Cybersecurity Career Bootcamp

Cybint | July 24, 2020

Global cybersecurity education leader Cybint is taking steps to meet the needs of professional learners in today's unprecedented training and professional development environment, launching a remote version of its military-grade Cybint Bootcamp.As with the live training version, the Remote Cybint Bootcamp is designed and built by former military intelligence officers and focuses on skills in demand for the job market. With the onslaught of an economic recession brought on by the pandemic, the need for accelerated career tracks is critical – especially online. Cybint and its partners in vocational training centers and universities worldwide are now enrolling hundreds of bootcampers virtually to be prepared for future-proof cybersecurity positions. With low unemployment rates and lucrative career opportunities, cybersecurity is one of the most in-demand tech careers in existence.The Cybint Bootcamp, which boasts a post-completion 97% employment rate, provides an affordable, accelerated route to high-paying entry-level cyber jobs for students and/or professionals who need to upskill or re-train for new career opportunities. In just three months the Bootcamp successfully prepares people with little or no IT background to successfully pursue a cybersecurity career.

Read More

Spotlight

The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice.