Unscrupulous Hackers Capitalize on Microsoft Teams by Impersonating IT Support, Gaining Screen Access and Remote Control
In a concerning development, a sophisticated phishing campaign has been identified, preying on unsuspecting users of Microsoft Teams. The attackers, posing as IT helpdesk personnel, have been using Teams' external communication features to trick victims into revealing sensitive information or executing malicious actions.
The phishing campaign begins with user-accepted events, which occur when victims click "Accept" buttons in external sender pop-ups. One of the most alarming aspects of this attack is that voice calls from external Teams users generate no warning pop-ups, creating a seamless attack vector.
Once trust is established through voice communication, attackers often request screen-sharing permissions. With these permissions, they can observe victim activities and potentially guide them through malicious actions. The attacks leverage Teams' external collaboration features, which are enabled by default in Microsoft 365 tenants, making many organizations potentially vulnerable.
Organizations using Microsoft Teams, especially those with insufficiently secured remote control features, such as companies relying on remote support tools and shared file access, are at a higher risk. Attackers can potentially gain full remote access to victim workstations through Teams' integrated remote control features, allowing them to install persistent backdoors and move laterally within the network.
To combat this evolving threat landscape, organizations must implement comprehensive monitoring of Teams audit logs, user education programs, and restrictive external communication policies. Monitoring for specific Microsoft 365 audit log patterns, including ChatCreated operations with participant_info:has_foreign_tenant_users = true and communication_type = "OneOnOne" parameters, is necessary for advanced threat hunting.
Microsoft 365 audit log entries can serve as digital forensic artifacts for identifying these attacks. Security teams can identify these attacks through specific Microsoft 365 audit log entries like ChatCreated events containing Chat Thread IDs, sender display names, email addresses, and Organization IDs for both parties.
However, attackers have discovered methods to circumvent these security measures through voice call phishing (vishing). It is crucial for organizations to remain vigilant and proactive in their security measures, ensuring the safety of their users and data.
