Microsoft Teams Phishing Used By Ransomware Access Broker for Corporate Breaches

In the ever-evolving landscape of cybersecurity threats, a new chapter has unfolded as financially motivated threat group Storm-0324, known for its collaboration with ransomware gangs, has shifted its focus to Microsoft Teams phishing attacks to infiltrate corporate networks. This development marks a concerning trend in cybercrime, prompting tech giant Microsoft to issue warnings and countermeasures against this emerging threat.

The Shapeshifting Storm-0324

Storm-0324 also recognized as TA543 and Sagrid, has earned a notorious reputation for acting as an initial access broker in the cybercriminal underworld. This role involves infiltrating victim systems and selling access to these compromised networks to other malicious actors, frequently resulting in devastating ransomware attacks. Storm-0324’s track record includes distributing a wide array of malware payloads, such as JSSLoader, and granting access to ransomware groups like Sangria Tempest, Carbon Spider, ELBRUS, and FIN7.

The Microsoft Teams Phishing Scam

In a surprising twist, Storm-0324 initiated a campaign in July 2023 that leverages Microsoft Teams as a platform for phishing attempts. The Microsoft Teams phishing scam involves sending phishing lures through Teams chats, enticing corporate employees to click on malicious links leading to SharePoint-hosted files. The group reportedly utilizes an open-source tool called TeamsPhisher to facilitate these Microsoft Teams Phishing attacks, allowing them to send attachments to external tenants within Teams.

The Human Factor

One of the critical challenges posed by these Microsoft Teams Phishing attacks is the element of trust associated with Microsoft Teams. Employees often view this platform as an internal communication tool, making them more susceptible to opening and engaging with documents received in chats. This human factor makes these Microsoft Teams Phishing attacks particularly effective, as individuals tend to let their guard down within the confines of a familiar platform.

Microsoft’s Vigilant Response

Microsoft has not taken this threat lightly. The company swiftly suspended accounts and tenants linked to fraudulent behavior and enacted a series of security enhancements to protect its customers. To further mitigate the risk of Teams-based phishing attacks, Microsoft has recommended several proactive measures:

1. Restrict External Communications: Define which external domains can chat within your organization, limiting contact to trusted Microsoft 365 organizations.
2. Device Management: Allow only known devices adhering to Microsoft’s security baselines to connect to Microsoft Teams. Implement conditional access app control for users connecting from unmanaged devices.
3. User Education: Provide employees with ongoing education on social engineering and credential phishing tactics within Teams. Encourage using features like verifying ‘external’ tagging on communication attempts from external entities.
4. Safe Links Scanning: Configure Microsoft Defender for Office 365 to recheck links upon clicking. This should complement regular anti-spam and anti-malware protection in inbound email messages.
5. Access Management: Embrace the principle of least privilege and avoid using domain-wide, administrator-level service accounts. Pilot and deploy phishing-resistant authentication methods for users.

The Broader Ransomware Landscape

This latest development is part of a broader surge in ransomware attacks observed in 2023. Security agencies have noted that many incidents, including the Microsoft Teams Phishing attacks, stem from poor cyber hygiene and opportunistic attacks rather than sophisticated techniques. The ransomware landscape continues to evolve, with cybercriminals adapting and finding new avenues of exploitation, underscoring the critical importance of proactive cybersecurity measures and user education.

As the battle between cybersecurity experts and cybercriminals rages on, organizations must remain vigilant, adaptable, and well-informed to protect their digital assets in an ever-changing threat landscape. Microsoft’s response to the Storm-0324 threat serves as a reminder that collaboration and innovation are essential weapons in this ongoing struggle for digital security. Phishing attacks, like the Microsoft Teams Phishing attacks, are the most common methods threat actors use to harvest legitimate credentials.

SpearTip offers phishing training as mitigation to enhance skills related to defending against these threats. The exercise tests the discernment of companies’ teams, educates employees regarding common phishing tactics and indicators, and identifies related security gaps in their environment. Our team creates phishing email simulations like those threat actors use and sends them throughout the organizations. We provide insight and feedback to improve the cyber defenses of their teams, leading to a profound decrease in the likelihood of being victimized by phishing scams. After the training, our team provides precise and thorough strategies to harden their environments and implement ongoing awareness training. By providing cybersecurity awareness training, companies, and their employees can better understand the risks of the cyber landscape and develop impactful cybersecurity practices that reduce the likelihood of cyberattacks.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.