Impersonation Attacks Targeting Microsoft Teams

With initial security concerns surrounding Zoom, and Google Meets not publicly available (this is now free and has reported 50 million installs on the Play Store), Microsoft Teams emerged as one of the most popular collaboration tools used by organizations during the COVID-19 pandemic. Microsoft reported an increase from 32 million daily active users to 44 million in a one-week timespan in March and a new daily record of 2.7 billion meeting minutes in their April usage blog, a 200% increase from the early stages of the pandemic in mid-March. 

As with any popular software with a large user base, Teams quickly became a prime target for cyber criminals who continue to attack vulnerabilities due to the changes in how and where we work during the pandemic. Threatpost reports that two attacks have targeted nearly 50,000 different Teams users attempting to steal employee credentials through impersonation campaigns. The attack strategy itself has been around for some time and follows the simple steps of sending an impersonation email with a malicious link to a fake landing page built to capture credentials or download malware. So if we are aware of these types of attacks, why do they continue to happen? The answer is simple, they work. Unlike most phishing campaigns that can easily be spotted (yes, the Nigerian prince still needs our help), these campaigns are built around strategic timing, carefully crafted landing pages and urgency.

Teams users are now used to receiving email notifications about being added to a team or with meeting links, and the landing pages look identical to the legitimate pages with imagery copied directly from Microsoft. When comparing legitimate and fraudulent sites, the differences can sometimes be near impossible to find. In addition to mimicking visuals (i.e. fonts, buttons, colors), these attacks may use multiple URL redirects to bypass email security software. Add in the use of fraudulent domains for the pages and sender addresses, and you can see how even the best employees may fall for the attack. The risk is multiplied when you take into consideration that stolen credentials for Teams can lead to a larger breach of the other Office 365 apps used by your end users and organization.

In an effort to raise awareness of potential security concern surrounding Office 365, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a warning on Office 365 Remote Work-Deployments in April and an analysis report in May on Microsoft Office 365 Security Observations with an overview of common vulnerabilities and best practices, including multi-factor authentication and enabling alerting capabilities.

Impersonation campaigns such as this are just one of the security threats facing remote workers today. To learn more about other critical considerations and best practices to keeping a disparate workforce and your data secure, download our Securing a Remote Workforce whitepaper or contact our team at [email protected].

How Can Schneider Downs Help?

The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. We offer a comprehensive set of information technology security services, including Office 365 security assessments, penetration testing, intrusion prevention/detection review, vulnerability assessments and a robust digital forensics and incident response team, who are available around-the-clock at 1-800-993-8937 if you suspect your organization is experiencing a network incident. Learn more at www.schneiderdowns.com/cybersecurity.