Sales: 833-761-0695
Support: 509-465-1234 x 2
Remote Support Login
See Service Pricing

Microsoft Teams Phishing Attacks

TorchLight Security Operations Center continues to hear about Microsoft Teams as the vector to social engineering, phishing and spearphishing attempts by hackers. Given the volume of noise, we thought we’d publish what we know and how to defend against these attacks.

by

marketing@torchlight.io
in

TorchLight Security Operations Center continues to hear about Microsoft Teams as the vector to social engineering, phishing and spearphishing attempts by hackers. Given the volume of noise, we thought we’d publish what we know and how to defend against these attacks.

A Russian based threat actor, along with much smaller actors, have attempted to bypass normal security processes and create a sense of urgency with users in an effort to distract people out of their security training protocols. We’ve seen several different ways the threat develops, but these themes remain throughout:

1 – A flood of emails to overwhelm a user’s email inbox
2 – Threat actors reach out to the affected user

This is where we see the split in behavior. Older infections (2023-2024) originated with phone calls to instruct the user to download specific IT Help Desk software (AnyDesk and/or Windows Quick Assist). Once logged in, the hackers deploy scripts to encrypt local data and then move laterally within the network to find additional vulnerabilities.

The other payload deployment method, which appears to be a new method, is utilizing Microsoft Teams. Instead of calling, now the threat actors are utilizing Teams chat functionality to reach out to affect users where the hackers impersonate IT help desk and ask the user to bypass normal security operating procedures, and try and trick users into compliance utilizing ‘hurry, move fast, don’t think’ tactics.

Here are a few examples of domains that have attempted to reach out via teams:
securityadminhelper.onmicrosoft[.]com
supportserviceadmin.onmicrosoft[.]com
supportadministrator.onmicrosoft[.]com
cybersecurityadmin.onmicrosoft[.]com

Mitigations for this type of attack do exist. Those include blocking third party domains from being able to create chats with employees inside of teams. And setting third party chat requests to only come from trusted domains.

A variation of this attack is via an already compromised MS Teams account that is outside of your organization. The hackers will reach out to the end user in an attempt to either get the token code from the 2FA application, or to have the user press Yes for the prompt to approve the login. Once this access is granted, the hackers have a toe hold in your environment.

We encourage all system administrators and our primary points of contact to spend a few minutes this week updating your team with these new and emerging threats. If you are experiencing something suspicious, or just doesn’t feel right, slow down, gather your thoughts and then reach out to us on 833-761-0695.

For our customers utilizing our Managed Security Services, we have already identified the infected domains via threat intelligence and your systems have been hardened to prevent unauthorized access to Teams from the infected domains.

Microsoft has been following this threat, here’s the link to their research.