Usually bad actors use Emails to phish and attack their victims, but guess what? This time a new phishing attack had been discovered, but it wasn’t via email. It was from a rather unusual source: Microsoft Teams.
AT&T Cybersecurity recently discovered phishing attacks conducted over Microsoft Teams. During a group chat, threat actors distributed malicious attachments to employees, which led to the installation of DarkGate malware on the victim’s systems.
This new highlight the changes on phishing surface as it expands from email to communication applications like Teams.
In this article will read more about this new attack surface and what the best practice to mitigate it.
How hackers use Microsoft Teams as phishing vector?
Phishing via Microsoft Teams considered as a new threat. It’s a topic that TrueSec recently published research on, and was also reported on by so many cybersecurity vendors. Previously, a traditional way to spread malware was via email phishing, but hackers found a new way to deliver their malware through Microsoft Teams, and they mostly use an available tool, such as TeamsPhisher.
The threat actor first compromises a legitimate .onmicrosoft.com domain, which is the mailing domain used for a Microsoft 365 environment for companies. The actor may also register a completely new tenant. They then change a user account to match the name of a user within the targeted company, could be CEO. Then using this account they send automated messages through Teams.
The victim will see a message request, and once he clicks to accept, an automated message will be sent and the attacker account will feature an (External) mark besides the name. The messages usually designed to create curiosity amongst potential victims, increasing the likelihood that they will open the attached link.
The attached link navigates the victim to phishing page to install a zip file which contains malicious software (DarkGate Loader).When the victim downloads the zip and opens it, malicious software will be installed in their machines.
What is DarkGate?
DarkGate malware is malicious software with several capabilities. This includes a concealed VNC, tools to bypass Windows Defender, a browser history theft tool, an integrated reverse proxy, a file manager and a Discord token stealer.
It is a Remote Access Trojan (RAT) with info stealer functionality that can give attackers control over compromised systems and extract valuable information. DarkGate has been involved in various malicious activities, such as data exfiltration, credential phishing, and ransomware deployment.
Prevention is better than cure
To fortify your organization against these types of phishing attacks Cloud networks solution’ team recommends to do the following remediation measures:
1) Control the external communications:
Always check the domains which are allowed to message members of your organization, and disable external access in the Microsoft Teams Admins Center. Set the “Choose which external domains your users have access to” configuration to “Block all external domains.
If communicating with tenant out of the organization is required, so you can enable access for specific domains that regularly communicate with your team.
2) Prevent the external users from initiate conversation with your organization members:
In the Microsoft Teams External Access configurations, disable “External users with Teams accounts not managed by an organization can contact users in my organization.” By limiting who can start conversations, you reduce the likelihood of unauthorized access and communication.
3) Block the external invitation to shared channels:
Shared Channel owners have the ability to invite external users to join their channel. This allows external users to read and write messages. In the Microsoft Teams Admin Center, under Teams policy, toggle “Invite external users to shared channels” to off.
4) Use a good protection with a good EDR solution:
It is important for companies to have a well-configured EDR solution, such as CrowdStrike Falcon or trellix, and take action when alerts are generated.
Also using good cybersecurity software such as check point Harmony Email & collaboration helps a lot to prevent and stop such kind of phishing attacks.
5) The training and the staff awareness:
Conduct an on-going training sessions and awareness workshops for the staff to let them aware more about the social engineering attacks and what tools the hackers uses same like Microsoft teams.
Conclusion
Securing the SaaS platforms is a very important thing should the companies take care of, as nowadays we are facing a new era of the cyber-attacks using the AI and the machine learning algorithm, where the hackers can expand the attack surface and leverage a wide range of SaaS application that most of organization use in their daily operations.
