Microsoft Teams phishing attack targets corporate networks

Updated on: 13 September 2023

Vilius Petkauskas
Deputy Editor

Microsoft says a threat actor known for working with ransomware groups started distributing phishing lures via Microsoft Teams chats.

Financially motivated group Storm-0324, known to act as initial access broker, has started using Teams to target potential victims, security researchers at Microsoft said.

“Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats,” researchers said.

Initial access brokers gain a foothold in victim systems and later sell the access to other cybercriminals, often leading to deployment of ransomware.

According to Microsoft, Storm-0324 also distributes payloads for other attackers. The group is known to employ evasive techniques, using payment and invoice lures to coax victims. The gang is known to have distributed malware for the notorious Russian cybercrime gangs FIN7 and Cl0p.

Researchers discovered that Storm-0324 distributes phishing lures over Teams. Attackers send victims links leading to malicious SharePoint-hosted files. To scale up the mission, cybercriminals employ TeamsPhisher, which “enables Teams tenant users to attach files to messages sent to external tenants.”

“These Teams-based phishing lures by threat actors are identified by the Teams platform as “EXTERNAL” users if external access is enabled in the organization,” Microsoft said.

The company said it has suspended accounts and tenants associated with fraudulent behavior and has rolled out enhancements and restrictions to protect customers.

Last month, Microsoft said a Russian government-linked hacking group targeted dozens of global organizations with a campaign to steal login credentials by engaging users in Microsoft Teams chats pretending to be from technical support.

However, the tech giant noted in its blog that the two discoveries are unrelated, indicating two separate campaigns.