Abnormal Attack Stories: Microsoft Teams Impersonation - Abnormal Security

Abnormal Attack Stories: Microsoft Teams Impersonation

Attackers have been impersonating notifications from Microsoft Teams in order to steal the credentials of employees. Recently, Microsoft Teams has seen one of the largest increases in users as a result of the shift to remote work given the ongoing COVID-19 pandemic.

Quick Summary

  • Platform: Microsoft Office 365
  • # Mailboxes: 15,000 to 50,000
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation Email

What was the attack?

Setup: Since the onset of the COVID-19 outbreak and the shift to remote work, there has been a remarkable increase in the usage of collaboration software. This particular attack impersonates Microsoft Teams, one of the leading collaboration software tools in widespread use.

Email Attack: These attackers crafted convincing emails that impersonate automated notification emails from Microsoft Teams. The landing pages that host both attacks look identical to the real webpages, and the imagery used is copied from actual notifications and emails from this provider. In one of the attacks, the sender email originates from a recently registered domain, “sharepointonline-irs.com”, which is not associated to either Microsoft or the IRS. 

Payload: Attackers utilize numerous URL redirects in order to conceal the real URL used that hosts the attacks. This tactic is employed in an attempt to bypass malicious link detection used by email protection services:

In one attack, the email contains a link to a document on a domain used by an established email marketing provider to host static material used for campaigns. Within this document there is an image urging the recipient to log in to Microsoft Teams. Once the user clicks this image, the URL takes the recipient to a compromised page which impersonates the Microsoft Office login page.

In the other attack, the URL redirect is hosted on YouTube, then redirected twice to the final webpage which hosts another Microsoft login phishing credentials site.

  • Result: Should the recipient fall victim to this attack, this user’s credentials would be compromised. Additionally, since Microsoft Teams is linked to Microsoft Office 365, the attacker may have access to other information available with the user’s Microsoft credentials via single-sign on. 

Why is this attack effective?

  • Convincing Email and Landing Page: The email and landing page the attackers created were convincing. The webpages and the links the email direct to are visually identical to legitimate Microsoft Teams and Microsoft login pages. Recipients would be hard-pressed to understand that these sites were set up to misdirect and deceive them to steal their credentials.
  • Timing: Given the current situation, people have become accustomed to notifications and invitations from collaboration software providers. Because of this, recipients might not look further to investigate the message.
  • Urgency: A recipient may feel more compelled to quickly login to access the page because of the urgency felt when contacted by a coworker.

About

Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.

Related content