Cyber-criminals are impersonating a popular Microsoft messaging service to steal employees’ Office 365 login credentials in a newly detected attack that has hit up to 50,000 mailboxes.
The campaign, discovered by researchers at Abnormal Security, targets Office users with an automated message that appears to be sent from communication tool Microsoft Teams.
“The email is sent from the display name, ‘There’s new activity in Teams’, making it appear like an automated notification from Microsoft Teams,” said researchers.
“It appears to notify the recipient that their teammates are trying to reach them and urges the recipient to click on ‘Reply in Teams’.”
Victims who take the bait and click on any of the three links included in the message are directed to a malicious phishing page where they are asked to enter their email and password.
“The link landing page also looks convincingly like a Microsoft login page with the start of the URL containing ‘microsftteams’, lending further credence,” noted researchers.
Victims who enter their credentials risk exposing sensitive information stored on their account and giving attackers a foothold into the company’s corporate network for more sophisticated BEC attacks.
“Should recipients fall victim to this attack, their login credentials as well as any other information stored on their account will be compromised,” wrote researchers.
The attack exploits both the instantaneous nature of the communication tool and its rise in popularity triggered by the outbreak of COVID-19.
“Because Microsoft Teams is an instant messaging service, recipients of this notification might be more apt to click on it so that they can respond quickly to whatever message they think they may have missed based on the notification,” noted researchers.
News of this new attack follows the discovery of two other similar campaigns by Abnormal Security in May 2020, in which threat actors spoofed Microsoft Teams to steal credentials.
Describing the earlier campaigns, researchers noted: “These attackers crafted convincing emails that impersonate automated notification emails from Microsoft Teams. The landing pages that host both attacks look identical to the real webpages, and the imagery used is copied from actual notifications and emails from this provider.”