Impersonation Attacks Targeting Microsoft Teams

With initial security concerns surrounding Zoom, and Google Meets not publicly available (this is now free and has reported 50 million installs on the Play Store), Microsoft Teams emerged as one of the most popular collaboration tools used by organizations during the COVID-19 pandemic. Microsoft reported an increase from 32 million daily active users to 44 million in a one-week timespan in March and a new daily record of 2.7 billion meeting minutes in their April usage blog, a 200% increase from the early stages of the pandemic in mid-March. 

As with any popular software with a large user base, Teams quickly became a prime target for cyber criminals who continue to attack vulnerabilities due to the changes in how and where we work during the pandemic. Threatpost reports that two attacks have targeted nearly 50,000 different Teams users attempting to steal employee credentials through impersonation campaigns. The attack strategy itself has been around for some time and follows the simple steps of sending an impersonation email with a malicious link to a fake landing page built to capture credentials or download malware. So if we are aware of these types of attacks, why do they continue to happen? The answer is simple, they work. Unlike most phishing campaigns that can easily be spotted (yes, the Nigerian prince still needs our help), these campaigns are built around strategic timing, carefully crafted landing pages and urgency.

Teams users are now used to receiving email notifications about being added to a team or with meeting links, and the landing pages look identical to the legitimate pages with imagery copied directly from Microsoft. When comparing legitimate and fraudulent sites, the differences can sometimes be near impossible to find. In addition to mimicking visuals (i.e. fonts, buttons, colors), these attacks may use multiple URL redirects to bypass email security software. Add in the use of fraudulent domains for the pages and sender addresses, and you can see how even the best employees may fall for the attack. The risk is multiplied when you take into consideration that stolen credentials for Teams can lead to a larger breach of the other Office 365 apps used by your end users and organization.

In an effort to raise awareness of potential security concern surrounding Office 365, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a warning on Office 365 Remote Work-Deployments in April and an analysis report in May on Microsoft Office 365 Security Observations with an overview of common vulnerabilities and best practices, including multi-factor authentication and enabling alerting capabilities.

Impersonation campaigns such as this are just one of the security threats facing remote workers today. To learn more about other critical considerations and best practices to keeping a disparate workforce and your data secure, download our Securing a Remote Workforce whitepaper or contact our team at cybersecurity@schneiderdowns.com.

How Can Schneider Downs Help?

The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. We offer a comprehensive set of information technology security services, including Office 365 security assessments, penetration testing, intrusion prevention/detection review, vulnerability assessments and a robust digital forensics and incident response team, who are available around-the-clock at 1-800-993-8937 if you suspect your organization is experiencing a network incident. Learn more at www.schneiderdowns.com/cybersecurity.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2020 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

IRS Notice 2020-52 Makes Midyear Change To Safe Harbor Plans
The Coronavirus Impact on Infrastructure
Construction Industry Faces Continuing Labor Supply Struggles
Executive Order Deferring Withholding of Employee Social Security Taxes
Evolving Cyber Threats of the New Normal
Cybersecurity Update: Twitter and Garmin

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102