On the evening of October 22, 2020, researchers released information on a new phishing attack impersonating an automated email from Microsoft Teams to pilfer user login credentials associated with Office 365. This campaign targets users that have established an account to use Microsoft Teams, which is a proprietary business communications platform that was introduced by Microsoft in 2018.
During the pandemic, use of Microsoft Teams is on the rise. Additionally, of the estimated millions of Office 365 users, research firm Abnormal Security has indicated that during this campaign, 15,000 to 50,000 user accounts could be affected..
The following takes place for the adversaries to steal credentials through this email phishing attack:
A message is sent to the victim with the display name in the subject header “There’s new activity in Teams,” with the appearance of a legitimate automated notification from Microsoft Teams. A subsequent notification indicates that the user’s team members have been trying to reach them and urges the user to click the “Reply in Teams” link, creating the urgency frequently used to unsettle victims, which results in them launching the phishing page. Once the user is on the page, they are asked to enter an email and password and should they follow this instruction, they have fallen for this attack. This in turn allows the attackers to confiscate the login credentials, as well as any information stored in the user’s accounts. The adversary has spoofed employee’s emails and also impersonated Microsoft Teams.
Since Microsoft Teams is an instant messaging service, users are more likely to respond to messages that they feel have been missed according to the notification they receive. The page that is linked to those messages mirrors the Microsoft Teams page so well that it includes the text “microsoftteams” embedded in the URL, which leads to further implied credibility. Extra caution should be used in reacting to emails and messages to avoid falling for this type of attack.
Abnormal Security has reported similar techniques in May of this year.
The E-ISAC has not established a specified threat to the electricity community based upon this attack at the moment, however, if a member experiences adversarial action based upon this information, or any other vulnerability, contact the E-ISAC Watch Operations Team, and create a Portal Post for instant community awareness.
ThreatPost: Microsoft Teams Phishing Attack Targets Office 365 Users
SC Magazine: Notification emails impersonate Microsoft Teams to steal credentials
SC Magazine: Attackers prey on Microsoft Teams accounts to steal credentials
Abnormal Security: Microsoft Teams Impersonation
- Canadian CERTs
- CRISP - Cyber Risk Info Sharing Program
- DHS - NICC, NCCIC, US-CERT, etc
- DOE Complex
- E-ISAC AOO Members
- E-ISAC Staff
- FBI, LE Fusion
- FERC - OEIS, etc
- International (other ISACs, CERTs)
- Other (inc. local/state commissions)
- Trade Organizations
- Watch Floor