Although the likes of Telegram, the secure messenger service with 400 million users, has confirmed it is moving into the video chat space, the most immediate threat to the dominance of Zoom is Microsoft Teams. Especially when it comes to doing business during the work from home transition for so many employees worldwide. This should come as no great surprise, given that the number of daily active users jumped from 44 million to 75 million across just two weeks at the end of March.
A new report reveals how security researchers have observed thousands of cloned Microsoft Team login pages being used in an attempt to harvest account passwords.
As Zoom users turn to Microsoft Teams, cybercriminals are never far behind
At the same time that increasing numbers of prominent organizations have been announcing bans on the use of Zoom, somewhat unfairly in my never humble opinion, so many have been turning to Microsoft Teams instead. This doesn’t necessarily mean they are off the cyber-hook when it comes to being attack targets.
Hot on the heels of a report on how Microsoft Teams users were vulnerable to a malicious GIF that could have stolen account data, comes this news of another security threat to those looking for an alternative to Zoom.
Multi-pronged Microsoft Teams impersonation attack uncovered
The discovery by researchers from Abnormal Security reveals what it says is a multi-prong Microsoft Teams impersonation attack. The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert dated April 29, warning of just such attack methodology uptick given the speed of deployment as organizations migrate to Microsoft Office 365 during the COVID-19 lockdown. That alert warned how such “hasty deployment can lead to oversights in security configurations and undermine a sound O365-specific security strategy.”
In the case of the attacks seen by Abnormal Research, however, neither security configurations nor vulnerabilities in Microsoft Teams were at fault. Instead, what they observed were convincingly-crafted emails impersonating the automated notification emails from Microsoft Teams. The aim, simply to steal employee Microsoft Office 365 login credentials.
50,000 Microsoft Teams users already targeted
To date, the researchers report that as many as 50,000 users have been subject to this attack as of May 1. This is far from your average phishing scam, however, and comes at precisely the right time to fool already stressed and somewhat disoriented workers. Instead of the far more commonly used “sort of look-alike” alerts and notifications employed by less careful cybercriminals, this new campaign is very professional in approach. “The landing pages that host both attacks look identical to the real webpages, and the imagery used is copied from actual notifications and emails from this provider,” the researchers said.
Attackers take a leaf from the stimulus package fraud playbook
The attackers are also using newly-registered domains that are designed to fool recipients into thinking the notifications are from an official source. I recently reported how this tactic is being used by cybercriminals looking to defraud U.S. citizens waiting for their stimulus package payments to arrive. No less than 712 malicious or suspicious stimulus package domains had been registered. Abnormal Security researchers gave the example of a fraudulent domain registered in Panama that included both “SharePoint” and “IRS” in the name to give that air of authenticity to the Microsoft Teams notification email.
Microsoft Teams credential-stealing payload revealed
As far as the credential-stealing payload is concerned, this is delivered in an equally meticulous way. With multiple URL redirects employed by the attackers, concealing the real hosting URLs, and so aiming to bypass email protection systems, the cybercriminals will eventually drive the user to the cloned Microsoft Office 365 login page.
An example of one such attack was given by the researchers where a document link was provided, that document being located at an unwary email marketing provider site. Within the document was an image asking the reader to log in to Microsoft Teams. Click on the image, and they are deposited at the cloned login page. Another example involved a link hosted on YouTube that redirected twice before landing on the malicious Microsoft Teams credential-stealing site.
“Recipients would be hard-pressed to understand that these sites were set up to misdirect and deceive them to steal their credentials,” Abnormal Security said, “given the current situation, people have become accustomed to notifications and invitations from collaboration software providers.”
