Microsoft Teams has seen a surge in usage owing to the increased need for collaboration services as more and more employees are working from home in the wake of the COVID-19 Coronavirus pandemic. With the increased adoption, the tool has also been receiving multiple improvements to help enhance functionality. While the communication of new features is a given, a new phishing attack that mimics notifications from the Redmond giant is being targeted at Teams users.
The specifics of the attack reported first by Abnormal Security (via WindowsCentral) suggests that the goal is to steal users’ Teams/Office 365 credentials by serving messages that redirect to phishing websites. The report states that the email notifications impersonate automated notification emails from Teams that are convincing enough owing to the content and design. The sender email comes from the “sharepointonline-irs.com” domain, something that is misleading and one that is not owned by Microsoft.
There are two kinds of attacks that are being employed for tricking users into entering their login credentials. The first type of attack involves a notification that contains a link to a document that is used “by an established email marketing provider to host static material used for campaigns redirects users”. This document contains an image that urges users to log in to Teams to view messages left by their teammates.
In the other type of attack, the email redirects to YouTube page first, which then redirects twice to a very convincing Microsoft 365 login page, complete with the very image that the company uses for its login screen. The security firm says that the attackers use multiple URL redirects to “conceal” the real URL that hosts the attacks. Users that fall prey to the technique end up providing their Teams/Office 365 credentials, providing the attackers access to all other information through the single sign-on.
Abnormal Security adds that close to 50,000 Teams users were targeted through these malicious emails. Regardless, it is best for users to beware of communication from the domain listed above and ensure to always be careful of the URL when any email redirects users to a login screen. While Microsoft recently patched a vulnerability in the app itself, there is little that the company can do when it comes to such attacks.
Images: Abnormal Security