Fake Microsoft Teams notifications aim at stealing Office365 logins

Pierluigi Paganini May 02, 2020

Phishing attacks impersonating notifications from Microsoft Teams targeted as many as 50,000 Teams users to steal Office365 logins.

Abnormal Security experts observed two separate phishing attacks impersonating notifications from Microsoft Teams that targeted as many as 50,000 Teams users to steal Office365 logins.

targeted_email Office365

The popularity of Microsoft Teams has spiked as a result of the smart working adopted by many organizations due to the COVID-19 pandemic.

In one attack analyzed by the experts, threat actors sent phishing messages to employees containing a link to a document on a domain used by an established email marketing provider to host static material used for campaigns. Upon clicking on the link, users will be presented with a button asking them to log in to Microsoft Teams. If the users will click on the button, they’re redirected to a phishing page impersonates the Microsoft Office login page that was designed to steal their credentials.

In one of the attacks observed by the experts, the emails are sent from a recently registered domain, “sharepointonline-irs.com”, which is not associated with Microsoft. 

“Attackers utilize numerous URL redirects in order to conceal the real URL used that hosts the attacks,” reads the post published by the researchers. “This tactic is employed in an attempt to bypass malicious link detection used by email protection services.”

In the second attack observed by the experts, the email includes a link that points to a YouTube page, then users are redirected twice to a landing page designed to trick victims into providing their Microsoft login credentials.

“In the other attack, the URL redirect is hosted on YouTube, then redirected twice to the final webpage which hosts another Microsoft login phishing credentials site.” continues the report.

According to Abnormal Security, attackers aim at stealing Microsoft Teams login credentials that are linked to Microsoft Office365, this means that they can access to other information available with the user’s Microsoft credentials via single-sign on.

“Given the current situation, people have become accustomed to notifications and invitations from collaboration software providers. Because of this, recipients might not look further to investigate the message.” concluded the experts. “A recipient may feel more compelled to quickly login to access the page because of the urgency felt when contacted by a coworker.”

A few days ago, researchers from Group-IB reported a campaign dubbed “PerSwaysion,” in which attackers exploit Microsoft’s Sway file-sharing to gain access to many confidential corporate MS Office365 emails of mainly financial service companies, law firms, and real estate groups.

Recently the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a set of recommendations related to O365 for organizations to review and ensure their newly adopted environment is configured to protect, detect, and respond against would be attackers of O365.

Please vote Security Affairs for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Office365, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment