Microsoft Teams phishing: companies targeted by ransomware access broker
A threat actor known for providing ransomware gangs with initial access to corporate systems has been phishing employees through Microsoft Teams.
“For this activity, Storm-0324 most likely relies on a publicly available tool called TeamsPhisher,” Microsoft threat researchers noted.
About Storm-0324
Storm-0324 is a temporary name assigned by Microsoft to this particular threat actor and watch that the company has not yet achieved a high level of confidence in the origin or identity of the actor behind the operation.
What they do know is that Storm-0324 has been around for over 8 years and has already used email-based exploit kits and vectors to deliver various malware payloads: banking Trojans ( Gootkit, Dridex), information-stealing malware (IcedID). , Gozi), ransomware (Sage, GandCrab) and Trickbot.
Microsoft claims that Storm-0324 began using phishing lures sent through Teams with malicious links leading to a malicious file hosted on SharePoint in July 2023 – although they do not specify what malicious payload the file carried.
They also noted that this particular phishing campaign is not related to a similar campaign organized by a Russian APT group.
Defend your business against phishing and ransomware Microsoft Teams
“Because Storm-0324 provides access to other threat actors, identifying and remediating Storm-0324 activity can prevent subsequent, more dangerous attacks like ransomware,” the researchers warned. provided protection tips and hunting questions for business defenders.
Microsoft has previously said that the Microsoft Teams vulnerability that allows these attacks “does not meet the criteria for immediate maintenance.”
But business administrators can take steps to minimize this threat, such as preventing external tenants from contacting their employees or changing security settings to only allow communication with certain authorized domains. (The latter won’t help if an external tenant with permission to contact has been compromised.)
Microsoft also notes that it has deployed several improvements to better defend against these threats.
In addition to suspending identified accounts and tenants associated with inauthentic or fraudulent behavior, they also improved the Accept/Block experience in one-on-one chats within Teams, “to highlight the externality of a user and their email address so that Teams users can better exercise caution by not interacting with unknown or malicious senders.
Additionally, there are “new restrictions on creating domains within tenants and improved notifications to tenant administrators when new domains are created within their tenant.”
