Microsoft has sent out a cybersecurity alert concerning a threat actor that is using Microsoft Teams chats to distribute malware. The threat actor has been labeled as Storm-0324, and Microsoft says this group has been active since 2016.
In a blog post, Microsoft stated that in July 2023, "Storm-0324 was observed distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats." The blog added that the group has primarily distributed the JSSLoader malware since 2019. This malware can then be used by another threat actor group known as Sangria Tempest to place ransomware files on a PC.
Microsoft explained:
Storm-0324’s delivery chain begins with phishing emails referencing invoices or payments and containing a link to a SharePoint site that hosts a ZIP archive. Microsoft continues to work across its platforms to identify abuse, take down malicious activity, and implement new proactive protections to discourage malicious actors from using our services.
Microsoft adds that these emails could look like real documents from companies like DocuSign, Quickbooks, and others. In some cases, these files also require a security code or password to be typed in by the malware victim. This can make these false documents look more realistic.
Microsoft says it has taken several measures to keep these kinds of malware from being distributed in Teams chats. That includes suspending accounts that are confirmed to have engaged in fraudulent activity.
It has also added improvements to the Accept/Block experience in one-on-one Teams chats. The company has also put new restrictions on "the creation of domains within tenants and improved notifications to tenant admins when new domains are created within their tenant."
Microsoft also lists a number of ways companies that use Team chats can take preventive measures from being affected by this new phishing attack. These include only allowing known devices to connect to Teams, and also educating employees on how phishing and malware attacks are made, and reviewing suspicious sign-in activities.