Since April 2024, the cyber threat landscape has witnessed a notable surge in phishing attacks specifically targeting Microsoft Teams. These attacks not only exploit the platform’s communication features but also abuse Remote Monitoring and Management (RMM) tools such as Quick Assist, AnyDesk, and TeamViewer. As organizations increasingly rely on these collaboration tools, threat actors are evolving their strategies, resulting in heightened risks for endpoints and overall corporate security.
Teams Phishing: A New Threat Vector
How Teams Phishing Works
Recent analysis indicates a troubling trend in Teams phishing attacks. Attackers commonly impersonate IT help desks in one-on-one conversations initiated from newly created, attacker-controlled tenants. These impersonations are complemented by unsolicited Teams calls and meeting invitations, where attackers share malicious URLs or attachments through the chat feature.
Typically, these tenants are created within a week prior to the attack, allowing attackers to establish credibility quickly. The attack often begins with a spam flood, inundating potential victims’ inboxes with more than 1,000 benign emails per hour. These emails, while not inherently malicious, create a context that enables attackers to pose as the help desk, claiming to assist with the spam issue.
Attackers usually focus on three to five users per tenant, which allows for a more personalized approach and trying to avoid suspicion. By aggregating the number of users targeted by an external account in a given time frame, security teams can better identify patterns indicative of these phishing attacks.
Detection Methods
Organizations need to be vigilant about signs of suspicious activity that may indicate ongoing Teams phishing attempts. Key indicators include:
- Unusual Usage of Quick Assist: Look for unexpected launch times or access patterns to these RMM tools.
- Remote Access Tool Activity: Monitor for the installation or usage of tools like AnyDesk, TeamViewer or other RMM tools outside of standard IT support operations.
- Anomalous Location Access: Assess where remote management software is being accessed from, particularly if the location is not typical.
- NetSupport Manager Activity: Identify any unexpected usage or installations of this tool, often linked to remote access attacks.
Specific Threat Actor: Black Basta
The Black Basta ransomware operation has significantly escalated its tactics, leveraging MS Teams for social engineering attacks. Active since April 2022, Black Basta has executed hundreds of attacks against corporations globally.
Attack Methodology
- Initial Email Campaign: Black Basta first overwhelms employees with non-malicious emails, including newsletters and sign-up confirmations. This tactic creates a false sense of normalcy and distracts employees.
- Impersonation via Teams: Once the employees are inundated with emails, attackers contact them via Teams, posing as IT help desk personnel. They create tenant accounts that mimic help desk services, often naming them with strings like securityadminhelper[.]onmicrosoft.com.
- Crafted User Profiles: The attackers set the display names to include “Help Desk,” often utilizing whitespace characters to center the names in the chat interface. This subtle trick enhances the illusion of legitimacy.
- Use of QR Codes: In some cases, attackers send QR codes through chats, which redirect victims to potentially malicious sites.
- Exploitation of Remote Access Tools: The primary goal is to convince users to install remote access software such as AnyDesk or launch Windows Quick Assist. Once access is granted, attackers deploy various payloads, including:
- AntispamAccount.exe
- AntispamUpdate.exe
- AntispamConnectUS.exe (identified as SystemBC on VirusTotal)
- Lateral Movement and Ransomware Deployment: With remote access established, attackers can move laterally within the network, escalate privileges, exfiltrate data, and ultimately deploy ransomware.
Recommendations for Organizations
To counteract the rising threat of Teams phishing attacks, organizations should implement several robust security measures:
- Restrict or Disable External Communication
Limit external user communications in Microsoft Teams. Only allow communications from verified, trusted domains to minimize exposure. This can be done in the MS365 Admin center’s org settings. If communication with external users is needed, whitelist as required. Ensure more aggressive spam filtering in email security.
- Enable Comprehensive Logging
Activate logging features for all Teams interactions, especially for chat creation events. This will aid in detecting unusual patterns that might indicate phishing attempts. Search for help desk type accounts with ‘contains’.
- User Education and Awareness
Conduct regular training sessions to educate employees about identifying phishing attempts and the importance of verifying unexpected communication, particularly from unfamiliar sources.
- Implement Multi-Factor Authentication (MFA)
Enforce MFA for all accounts to add an additional layer of security. This step significantly reduces the risk of unauthorized access even if credentials are compromised.
- Conduct Regular Security Audits
Perform routine assessments of security protocols and incident response plans. This proactive approach helps organizations stay ahead of evolving cyber threats.
For more information, see Microsoft tech community