Microsoft said it planned to roll out new — but unspecified — anti-phishing defenses for Teams users as it revealed another threat actor was targeting the platform.
Dropping malicious payloads via Teams messages has become an increasingly popular attack vector for threat actors in recent months. Microsoft said it had taken a number of steps to mitigate the attacks and would continue to do so.
In a Sept. 12 post, the company’s threat intelligence team said a group it tracks as Storm-0324 began sending Teams messages containing malicious links in July, most likely taking advantage of a newly available red-teaming tool called TeamsPhisher.
TeamPhisher automates the sending of a malicious payload, which appears as a downloadable file, to multiple Teams users’ inboxes.
Microsoft said Storm-0324, which overlapped with threat groups tracked as TA543 and Sagrid, managed a malware distribution chain, sending other attackers’ payloads using phishing messages and exploit kits. They are known for using traffic distribution systems such as BlackTDS to evade detection.
Storm-0324 also spreads JSSLoader malware, which is used by ransomware gang FIN7 (also known as Sangria Tempest, Elbrus and Carbon Spider). Storm-0324 often lured victims with fictitious invoices and payment demands while impersonating services such as DocuSign and QuickBooks.
“Users are ultimately redirected to a SharePoint-hosted compressed file containing JavaScript that downloads the malicious DLL payload,” Microsoft said.
The lure document was sometimes protected to make it appear more authentic.
“By adding the security code or password in the initial communications to the user, the lure document may acquire an additional level of believability for the user. The password also serves as an effective anti-analysis measure because it requires user interaction after launch.”
Teams attacks on the rise
Storm-0324 is among a growing number of threat groups to show an interest in targeting Teams users as organizations harden their security measures related to email and other traditional attack vectors.
Last month, Microsoft revealed advanced persistent threat group APT29 (also tracked as Midnight Blizzard, Cozy Bear and UNC2452) had used stolen Microsoft 365 instances to send Teams messages masquerading as IT support staff communications.
The gang attempted to steal account credentials by luring victims into approving multi-factor authentication prompts. Microsoft said the APT29 and Storm-0324 campaigns were not related.
Last week Trusec reported DarkGate malware was being distributed through another phishing campaign using compromised Microsoft Teams accounts.
The various phishing campaigns have been possible because Teams’ default configurations allow meeting and chat connections with accounts from external organizations.
In its latest post, Microsoft repeated its earlier advice that, if possible, customers should restrict access for external collaboration, limiting it to only trusted outside organizations. It also recommended educating users about social engineering and credential phishing attacks.
Microsfot suspended accounts associated with fraudulent behavior, added new restrictions around domain creation and improved notifications to administrators when new domains were created.
“We have also rolled out enhancements to the Accept/Block experience in one-on-one chats within Teams, to emphasize the externality of a user and their email address so Teams users can better exercise caution by not interacting with unknown or malicious senders,” the post said.
