A phishing attack using a notification from Microsoft
Teams in an effort to trick people into revealing their credentials is
spreading through emails that use convincing content.
While Microsoft Teams might not seem like an obvious
target, the fact that it’s linked to Microsoft Office 365 makes it highly valuable
to attackers. Office 365 credentials are a prime commodity on the black market
as they can provide access directly into companies’ networks with their valid
user names and passwords.
The phishing scheme is direct and follows a well-known
recipe. Users receive an email impersonating an automated email from Microsoft
Teams. The landing pages users open also look like the real deal, tricking
people into believing it’s an actual service from Microsoft.
“In one attack, the email contains a link to a
document on a domain used by an established email marketing provider to host
static material used for campaigns” explains the advisory
from Abnormal Security.
“Within this document there is an image urging the
recipient to log in to Microsoft Teams,” it says. “Once the user clicks this
image, the URL takes the recipient to a compromised page which impersonates the
Microsoft Office login page. In the other attack, the URL redirect is hosted on
YouTube, then redirected twice to the final webpage which hosts another
Microsoft login phishing credentials site.”
Typically, such links would be immediately identified by
security solutions, on servers or installed locally. To evade detection, the
attacks use many redirects to conceal the real URL.
The new Microsoft Team phishing campaign is just the
latest, and it won’t be the last. Users are advised never to open links from
sources or people they don’t know, or at least to verify the authenticity of
the sender. Also, never share your Microsoft Office credentials online and only
use them for online services you’ve already verified.