Microsoft Teams phishing attacks and how to prevent them
Users who think phishing happens only over email should think again. Learn about recent Microsoft Teams phishing attacks and how to defend against them.
Users of Microsoft Teams often assume the collaboration platform is an internal business app and is, therefore, immune to compromise. This is not the case. Microsoft Teams is an emerging attack vector, with threat actors sending malware-loaded phishing messages to try and steal data and login credentials from users.
Let's look at examples of high-profile Microsoft Teams phishing campaigns and their impact, as well as how enterprise IT teams can bolster their protection against these types of phishing attacks.
Examples of major Microsoft Teams phishing attacks
Microsoft has identified the following major phishing attacks targeting the Teams app.
Midnight Blizzard
In late 2023, Microsoft published a blog indicating the threat actor known as Midnight Blizzard -- which the United States has identified as a Russian state-sponsored group -- was launching phishing campaigns on Teams to try to steal user credentials.
The complex attack involved infiltrating Teams via previously compromised Microsoft 365 tenants and setting up new domain names that appeared like legitimate technical support organizations.
Once they completed those steps, the malicious actors used social engineering tactics to try and trick users into providing their credentials over Teams messages, which would enable access to sensitive data.
Storm-0324
A second major attack on Teams came from threat actor Storm-0324. In another blog post, Microsoft said it had observed the group sending phishing lures through Microsoft Teams chats with links to malicious files on SharePoint. The group targeted businesses that use Teams and have external access enabled on their platforms.
According to Microsoft, Storm-0324 acts as a payload distributor for ransomware operators. Historically, the group often uses messages that look like nonthreatening, standard payment and invoice notifications from popular business services, including DocuSign and QuickBooks. Malicious links in these messages download ransomware payloads onto targets' systems.
How to defend against Microsoft Teams phishing attacks
Microsoft lists a host of Teams phishing attack recommendations companies should use to help mitigate and reduce the risk of compromise. Mitigation techniques include the following:
Enforce specific access control combinations to restrict the authentication methods used before a user can gain access to a company's digital resources.
Enable Microsoft 365 auditing to gain visibility into potential phishing attempts.
Restrict resource access to known business devices.
In Microsoft Defender for Office 365, configure the Safe Links feature to run a reputation check on each link at the time a user clicks it, before granting access. If the software finds the link suspicious, it detonates it rather than opening it.
Audit and limit administrator-level service accounts.
Despite the added protections Microsoft has developed for Teams, cybercriminals are constantly searching for ways around them. That's why educating users on phishing and social engineering activities and how they can identify and avoid suspicious behavior within Teams remains critically important.
For example, Microsoft has implemented several user notifications that identify external communications and warn users to be extra cautious about what they share with non-internal users. These notifications often go unnoticed, however, unless users have the proper education.
Despite all the added protections Microsoft has developed for Teams, cybercriminals are constantly searching for ways around them.
Consider also training Teams users on the following:
How to identify signs of possible Microsoft Teams phishing attacks.
How to block external users if they notice suspicious activity.
How to regularly review and audit their sign-in activity to identify any suspicious attempted sign-ins and notify security teams accordingly.
Future of Microsoft Teams phishing
Many businesses are beginning to use Teams more than standard email. That said, while the level of phishing education for email is well-established and plenty of training is available, the same cannot yet be said for Teams use.
For organizations lacking in this area, now is the time to create documentation and training for employees to better spot, avoid and notify IT about suspicious Teams behavior. Doing so will significantly lower a business's overall risk of malware infections and login credential theft.
Andrew Froehlich is founder of InfraMomentum, an enterprise IT research and analyst firm, and president of West Gate Networks, an IT consulting company. He has been involved in enterprise IT for more than 20 years.
