A new phishing attack impersonates an automated communications message from Microsoft Teams to steal a corporate user’s login credentials.
Abnormal Security, which disclosed the attack method today in a blog, maintains that Microsoft Teams has become a popular communication tool, particularly during the pandemic, making it an attractive brand for attackers to impersonate.
Here’s how the attack works: The email gets sent from the display name in the subject header, “There’s new activity in Teams,” making it appear like an automated notification from Microsoft Teams. It then notifies the user that their teammates are trying to reach them and urges the recipient to click “Reply in Teams.” This leads to a phishing page.
Within the body of the email, there are three links that function as a lure. They say “Microsoft Teams,” “[contact] sent a message in instant messenger,” and “Reply in Teams.” Clicking on any of these leads to a fake website that impersonates the Microsoft login page.
The phishing page then asks the user to enter their email and password. Should recipients fall victim to this attack, their login credentials as well as any other information stored on their account will be compromised. The attacker spoofed employee emails and also impersonated Microsoft Teams.
According to the Abnormal Security blog, corporate users are more likely to fall prey to this kind of attack when they believe it originates from within the company and also from a trusted brand like Microsoft Teams.
And because Microsoft Teams also functions as an instant messaging service, users are more apt to click to respond quickly to whatever message they think they may have been missed, based on the notification. The link landing page also looks convincingly like a Microsoft login page with the start of the URL containing “microsftteams,” lending further credibility.
This is not the first time Teams has been targeted. Abnormal Security reported a similar technique in May.