Microsoft Teams Impersonated in Office 365 Phishing Attack

Attackers often impersonate well-known brands, and Microsoft is typically one of the most impersonated, given that access to any Microsoft account opens the possibility of accessing ongoing email threats, sensitive documents, and other Microsoft programs. In addition, Microsoft Teams has seen a massive increase in users as a result of the shift to remote work given the ongoing COVID-19 pandemic. In a recent attack, the chat platform was impersonated in a credential phishing attack, attempting to steal Office 365 login credentials.

Summary of Attack

  • Platform: Microsoft Office 365
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation Email

About the Microsoft Teams Impersonation Attack

Since the onset of the COVID-19 outbreak and the shift to remote work, there has been a remarkable increase in the usage of collaboration software. This particular attack impersonates Microsoft Teams—one of the leading collaboration software tools in widespread use.

These attackers crafted convincing emails that impersonate automated notification emails from Microsoft Teams. The landing pages that host both attacks look identical to the real web pages, and the imagery used is copied from actual notifications and emails from this provider.

Within the email, attackers utilize numerous URL redirects in order to conceal the real URL that hosts the attack. This tactic is employed in an attempt to bypass malicious link detection used by legacy email protection services. After clicking on a link, there is an image urging the recipient to log in to Microsoft Teams. Once the user clicks this image, the URL takes the recipient to a compromised page which impersonates the Microsoft Office login page.

In a separate attack impersonating Microsoft Teams, the sender email originates from a recently registered domain, “sharepointonline-irs.com”, which is not associated with either Microsoft or the IRS. The URL redirect is hosted on YouTube, then redirected twice to the final webpage, which hosts another phishing credentials site mimicking the Microsoft login page.

Should the recipient fall victim to either of these attacks, their Microsoft credentials would be compromised. Since Microsoft Teams is linked to Microsoft Office 365, the attacker may have access to other information available with the user’s Microsoft credentials via single-sign-on.

Why the Microsoft Teams Attack is Effective

The emails impersonating Microsoft Teams and the landing pages the attackers created were all extremely convincing. The webpages and the links within the email are visually identical to legitimate Microsoft Teams and Microsoft login pages, so recipients would be hard-pressed to understand that these sites were set up to misdirect and deceive them to steal their credentials

Furthermore, given the current situation, people have become accustomed to notifications and invitations from collaboration software providers. Because of this, recipients might not look further to investigate the message.

Curious how Abnormal Security stops these and other brand impersonation attacks? Request a demo to learn more.

Related Posts

Blog customer communications leads to product innovation
Learn how customers have influenced the latest round of product enhancements to better protect your organization from email-borne threats.
Read More
Blog attack detection efficacy cover
Abnormal’s relentless pursuit of innovation significantly improves the detection efficacy of hidden payloads in emails by an additional 5%.
Read More
Blog mnru cover
Estimating both the time and cost to complete a task has been a continual challenge for engineering teams as long as I’ve been working in industry. Coordinating the complex interactions and execution task sequencing across multiple tasks and people is a complex, ever-evolving challenge, and one that most teams struggle with daily.
Read More
Blog what do phishing emails cover
Phishing attacks are on the rise; the FBI reports that such attacks cost $54 billion in 2020, and phishing complaints increased by a whopping 110% from 2019 to 2020. If you're one of the many people targeted by a phishing email, you're not alone.
Read More
Blog holiday scams cover
We've arrived at that time of year—a time for reflection and celebration and spending time with family, and also that time of year where the cyber grinches hope to spoil the holiday fun.
Read More
Log4j email blog cover
Over the last few days, Abnormal has successfully blocked multiple attempts by attackers to deliver emails similar to these to our customers’ unsuspecting end users.
Read More
Blog securitry privacy cover
Customers place tremendous trust in Abnormal to protect them from the full spectrum of attacks when they provide us access to the email stored in Microsoft 365 or Google Workspace. To that end, we’re focused on protecting your data and building your trust.
Read More
Blog podcast role cto
Tim Tully, Partner at Menlo Ventures, grew up in Silicon Valley, where a love for coding was kindled in him. Tim is a technologist to the core, which innately led him to become an elite technical leader at companies like Splunk and Yahoo.
Read More
Blog canadian visa cover
Abnormal Security recently identified a scam aimed at the Canadian electronic travel authorization (eTA) program, which bears a striking resemblance to a long-standing fraud scheme described in our post from several weeks ago targeting TSA travel program applicants.
Read More
Automate abuse mailbox cover
Managing and monitoring an Abuse Mailbox can be a significant pain point for IT security teams, particularly large organizations with thousands of employees.
Read More
Blog calendar invite attack cover
Meeting invites are one of the most common types of emails sent today, so it should come as no surprise that attackers have found a way to manipulate them. Scores of recipients that utilize Abnormal Security recently received emails that contained a .ics attachment—an invitation file commonly used to populate online calendar applications with meeting and event information.
Read More
Blog saving memory python cover
At a hyper-growth startup, a solution from six months ago will unfortunately no longer scale. The business is growing rapidly, and this traffic to this service in particular was growing at an unprecedented rate. We hit a point where it needed re-architecting to support 10x the current scale.
Read More