Phishing Attacks… in Microsoft Teams??

Staying across the breadth of attack surfaces is more challenging than ever but fortunately I think more people are at least aware of traditional email phishing attacks and are on the alert to suspicious looking emails (even as they become ever more sophisticated). Back in 2017 I shared a great poster around phishing attacks that was modelled off posters in traditional fish and chip shops found in New Zealand:

traditional phishing has seen no slowdown: Proofpoint reported that 83% of organizations experienced a successful email-based phishing attack in 2021 — a massive jump from 57% in 2020. And outside of email, SMS attacks (smishing) and voice-based attacks (vishing) both grew in 2021, as well, according to the email security vendor.

Microsoft Teams is the new frontier for phishing attacks | VentureBeat

It was interesting, therefore, to read a post today about new attacks coming via Microsoft Teams and as always, I encourage you to read the original article in full: Microsoft Teams is the new frontier for phishing attacks | VentureBeat. I will pull out some of the best bits below however.

A big reason attackers are using new vectors like Teams and Slack is that there is a greater level of trust by users that anything communicated or shared via those platforms must be inherently safe due to the mostly internal organisational usage of these tools. Unlike email which is often sent from users outside the organisation, messages and content shared inside of Teams is generally (but not always) from other colleagues.

What’s more, attackers are becoming ever more sophisticated and patient in how they construct an attack. On the “What’s Next in Security” webinar I listened to from Microsoft his morning, one presenter mentioned that some attacks have built slowly over a period exceeding 300 days – usually well beyond the length of time many organisations keep verbose security logs. In the Venturebeat article, a complex Teams attack was described in detail:

It happened, Harr said, while the CEO of the customer company was traveling to China. Posing as the CEO, an attacker sent a WhatsApp message to several of the company’s employees, asking them to join a Teams meeting. Once in the meeting, the employees saw a video feed of the CEO, which they didn’t realize had been scraped from a past TV interview. As part of the trick, the attackers had added a fake background to the video to make it appear the CEO was in China, Harr said. But since there was no audio, the “CEO” said that there “must be a bad connection” — and then dropped a SharePoint link into the chat. Posing as the CEO, the attacker told the employees that “‘since I can’t can’t make this work, send me the information on this SharePoint link,’” Harr said. An employee did end up clicking on the malicious SharePoint link — but they were blocked from accessing the page

Microsoft Teams is the new frontier for phishing attacks | VentureBeat

In some instances, getting access to a user’s credentials is the starting point as this would allow a bad actor to pass off as an employee inside of Microsoft Teams – making the need for greater protection around identity a key strategy – making Microsoft Defender for Identity a great starting point to secure and protect access to a user’s account in the first place. Internal organisational chat tools like Teams or Slack and others, are at risk of becoming the new “BEC” – Business Email Compromise, expanding the attack surface beyond traditional email and into newer platforms and mediums that employees like to use.

Therefore, continual education for employees and end users remains critical when it comes to defusing potential threats as more of these rely on social engineering at some level – i.e. the implied trust of a message that comes from another colleague on Teams or Slack. Adopting a Zero Trust approach to security remains a key strategy for organisations to harden their security posture, with the three pillars of this being:

Using Zero Trust principles to protect against sophisticated attacks like Solorigate – Microsoft Security Blog

To learn more about Zero Trust I encourage you to read Zero Trust – Microsoft Security Blog which contains multiple blog posts relevant to this topic but for a simple one diagram overview you can see:

Zero Trust: Microsoft Step by Step

One thing is certain: bad actors will not give up creating innovative and convincing attacks. It is critical that organisations of all sizes ensure that their security is up to date and that their users are educated to the types of attacks that can come from any vector.

I am always keen to discuss what I've written and hear your ideas so leave a reply here...

%d bloggers like this: