Unauthorized Access Broker Targets Microsoft Teams Users
Unauthorized Access Broker Targets Microsoft Teams Users

Image: Bram Van Oost (unsplash)

Microsoft has reported that a known initial access broker, previously associated with ransomware groups, has pivoted to using phishing attacks via Microsoft Teams to infiltrate corporate systems.

This particular threat group is identified as Storm-0324. Historically, this group had a hand in disseminating the Sage and GandCrab ransomware strains.

In addition, Storm-0324 has been known to offer the infamous FIN7 cybercrime group pathways into corporate systems. They achieved this by leveraging malware such as JSSLoader, Gozi, and Nymaim.

FIN7, also referred to as Sangria Tempest and ELBRUS, was observed utilizing Clop ransomware to compromise networks. Prior to certain ransomware services becoming inactive, FIN7 had associations with Maze and REvil ransomware strains.

In July 2023, Microsoft discovered that Storm-0324 had initiated a new approach. The group had started distributing phishing content via Teams, containing malicious links that redirected users to a compromised SharePoint file. Microsoft reported that during this activity, it’s highly probable that Storm-0324 employed a tool available to the public known as TeamsPhisher.

This freely accessible tool grants attackers the capability to sidestep restrictions on incoming files from outside sources. This enables them to dispatch phishing materials to Microsoft Teams users. The mechanism behind this involves exploiting a security flaw within Microsoft Teams. This flaw, uncovered by Jumpsec security analysts, was overlooked by Microsoft in July, with the company stating it wasn’t critical enough for urgent rectification.

Although Microsoft did not elaborate on the intentions behind Storm-0324’s recent attacks, other groups have used similar techniques with the objective of extracting credentials from targets, especially by manipulating them into validating multifactor authentication requests.

Microsoft recently communicated its ongoing efforts to thwart these malicious campaigns and safeguard its Teams user base. They stated, “We place immense importance on these phishing endeavors and have introduced multiple upgrades to bolster defenses against such threats.” They further elaborated that actors deploying Teams-based phishing methods are now flagged as “EXTERNAL” users when a company permits external access in its settings.

Moreover, Microsoft added, “We’ve also introduced enhancements in the Accept/Block protocol in direct chats within Teams. This emphasizes the external nature of a user, showcasing their email, allowing Teams users to be more vigilant and avoid interactions with unfamiliar or potentially harmful entities.”

Furthermore, the tech giant revealed that they have placed new limits on the establishment of domains within tenant environments and amplified notifications to administrators when fresh domains emerge within their domain.

Subsequent to uncovering Storm-0324’s phishing schemes via Teams, Microsoft took decisive action by deactivating all tenant spaces and accounts that the group utilized for their campaign.