skip to Main Content
+44 (0) 1628 308038 info@tidorg.com

Malicious Actors Want to Join Your Team!

Microsoft Teams has seen rapid adoption in the three years since it was released back in 2016, becoming by some estimates the second most used business collaboration tool after Skype. Unsurprisingly, malicious actors have taken notice.

Over the course of 2019 we have seen a steady increase in the number of malicious emails spoofing Microsoft Teams email alerts and notifications. These phishing emails — reported to us by customers using the Phish Alert Button (PAB) — range from low rent trash that bears almost no resemblance to legitimate Teams emails to high-quality spoofs that are well-nigh indistinguishable from the real thing.

The Good

The majority of the spoofed Teams emails we’ve seen are fairly well-executed, and look to have been based directly on actual Teams emails that fished out of the inboxes of compromised accounts at organisations using the Microsoft collaboration tool.

good-1a

Content and format are nearly perfect in these malicious spoofs, leaving only the link itself to give away the ruse. Note the use of multiple subdomains in the URL above to draw users’ eyes to the string “login.microsoftonline.com” which, for many users, will be effective enough to disguise the true destination of that link.

The bad guys behind some of these malicious emails will not hesitate to exploit trusted domains and services from Microsoft’s competitors in order to spring a malicious link on unsuspecting users. In this example, the email itself points users to a web page hosted on Google’s Appspot cloud platform…

good-2a

…which turns out to be a slickly designed spoof of Microsoft’s own login page.

good-2b

This kind of disconnect ought to be an easy one to pick up on, but all too many users simply aren’t paying attention.

Of course, if you need a truly convincing host for the malicious bits of your spoofed Teams phishing campaign, the obvious first choice is Microsoft’s own Azure service.

good-3a

The link says “windows.net,” which is Microsoft. What could possibly be wrong?

The Bad

All bad guys are not created equal, though. Some appear to have a vague understanding of what Microsoft Teams is and how popular it has become among business organisations — especially those what have fully embraced Office 365 and its ever-expanding suite of productivity tools. But these bottom-feeders don’t necessarily have the knowledge base, motivation, or resources to do a proper spoof of Teams email notifications.

None of that is a barrier to going after Microsoft Teams users, though. Just sprinkle a few references to “teams” throughout the Subject: line and email body, use a trusted email service provider like Sendgrid to blast out your low rent spoofs, and you’re in business.

bad-1a

And even laziest of poorly designed phishing campaigns such as the one below can still pull the magic voodoo “Windows.net” trick:

bad-2a-2

To no one’s surprise, though, this one got reported fairly quickly and blocked outright by the browser.

bad-2b

The Ambitious

If Microsoft can integrate Teams into its larger suite of productivity tools, who’s to say the bad guys can’t do the same thing?

In this phish the bad guys simply took a fairly standard Office 365 credentials phish and spruced it up a bit by changing the sender name to “Microsoft Teams.”

bizarre-1a

Coupled with the use of a Microsoft-y looking domain — “outlooksecure.com” — in the money link, that just might be enough to persuade a few people in many to organisations to click the link and hand over their credentials to malicious actors.

Conclusion

If you’ve rolled out Microsoft Teams in your organisation, you would do well to wonder just how well your users and employees would handle the kinds of spoofed Microsoft Teams emails that are currently landing in inboxes. Would they bother to check the link? Would they notice that the Microsoft login page sitting in front of them is actually hosted on a Google cloud-based service like Appspot?

Then again, why just wonder?

New-school Security Awareness Training can train your users to be on the alert for those kinds of “tells,” then test their reactions to simulated phishing emails based on actual phishes used by real malicious actors in the wild. It’s the best means to ensure that the only ones managing your teams are your own people — not confidence tricksters looking to muscle their way into your organisation’s network.


Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST Results

Here’s how it works:

Immediately start your test for up to 100 users (no need to talk to anyone)

Customise the phishing test template based on your environment

Choose the landing page your users see after they click

Show users which red flags they missed, or a 404 page

Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management

See how your organisation compares to others in your industry

PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/phishing-security-test-partner?partnerid=001a000001lWEoJAAW

Close search

Basket

Back To Top