Microsoft Sounds the Alarm on a Sophisticated Phishing Campaign Targeting Corporations via Teams Messages
In a recent security alert, Microsoft has blown the whistle on a complex phishing campaign that is targeting corporations via Teams messages. This new mode of attack marks a shift from traditional email-based scams to leveraging popular collaboration platforms for initial access to corporate networks. In this extensive article, we will dive into the intricate details of this phishing campaign, its impact, how it operates, and what steps businesses can take to protect themselves.
Understanding the Phishing Campaign Targeting Corporations via Teams Messages
This campaign, internally identified by Microsoft's Threat Intelligence team as Storm-0324, and also known by aliases TA543 and Sagrid, initiated its malicious activities in July 2023. It employs Teams messages as lures to infiltrate corporate systems. Storm-0324 has evolved from primarily using email phishing to incorporating Teams chats as part of its infection vectors. Microsoft's Advisory serves as a comprehensive source for understanding the development of this phishing campaign.
Methodology Employed by Storm-0324
Storm-0324 acts as a payload distributor in the cybercriminal world. They use sophisticated infection chains that include a mix of downloaders, banking trojans, ransomware, and various modular toolkits such as Nymaim, Gozi, TrickBot, IcedID, Gootkit, Dridex, Sage, GandCrab, and JSSLoader. In previous attack sequences, the bad actors used invoice- and payment-themed email decoys to trick users into downloading SharePoint-hosted ZIP archive files containing JSSLoader malware.
Shift to Teams-based Attacks
As of July 2023, the phishing campaign targeting corporations via Teams messages saw a significant modus operandi change. The attackers now send phishing links through Teams chats, using an open-source tool called TeamsPhisher. This tool allows users to attach files to messages sent to external Teams tenants by exploiting an issue first highlighted by JUMPSEC in June 2023.
Evading Detection and Facilitating Ransomware
Storm-0324 has been incredibly adept at evading security solutions. Their email chains incorporate traffic distribution systems (TDS) such as BlackTDS and Keitaro. These systems have identification and filtering capabilities that can tailor user traffic to escape detection by IP ranges that could be security solutions like malware sandboxes, while also successfully redirecting victims to their malicious download sites.
After gaining initial access, Storm-0324 often paves the way for other ransomware-as-a-service actors, notably Sangria Tempest, also known as Carbon Spider, ELBRUS, and FIN7, to deploy file-encrypting malware.
The Importance of Remediation
Identifying and addressing Storm-0324's activities is crucial. By taking down Storm-0324, it becomes possible to prevent more dangerous follow-on attacks like ransomware. Microsoft has already taken steps by suspending identified accounts and tenants associated with inauthentic or fraudulent behavior related to this phishing campaign targeting corporations via Teams messages.
Global Context and Relevance
Interestingly, a similar technique was used by Russian nation-state actor APT29, also known as Midnight Blizzard, in May 2023, targeting about 40 organizations globally. This wide-reaching impact emphasizes the urgency and global relevance of addressing this kind of cyber threat. Additionally, Kaspersky has detailed the tactics of another notorious ransomware group, Cuba, which employs a similar double extortion business model.
Security Measures and Recommendations
Corporations should ensure robust cybersecurity hygiene to defend against these phishing campaigns. Understanding the TTPs (Tactics, Techniques, and Procedures) used by Storm-0324 can be incredibly useful in identifying and mitigating threats.
- Use multi-factor authentication.
- Educate employees on the risks of clicking on external links.
- Keep software up to date.
- Use a reputable security solution.
Conclusion
The emergence of phishing campaigns like Storm-0324, targeting corporations via Teams messages, poses new challenges in cybersecurity. While Microsoft has taken some steps to mitigate these threats, businesses must also take proactive measures. The evolution of this phishing campaign serves as a stark reminder that cybercriminals are always looking for new ways to penetrate systems and gain unauthorized access to sensitive information.
Further Reading
By understanding the sophisticated methods employed by cybercriminals, organizations can better prepare and protect themselves from falling victim to these ever-evolving cyber threats.
FAQ
Who is behind the phishing campaign?
The campaign is orchestrated by a cyber-criminal group identified as Storm-0324, also known by monikers TA543 and Sagrid.
When did the phishing campaign start?
The campaign began in July 2023, according to Microsoft's Threat Intelligence team.
What tools are being used in this campaign?
The perpetrators are using an open-source tool called TeamsPhisher to send phishing lures through Microsoft Teams chats.
How serious is this threat?
This threat is deemed very serious as it allows bad actors to infiltrate corporate networks. Microsoft has rated it as ‘critical.'
What types of payloads are distributed?
The phishing campaign employs a mix of downloaders, banking trojans, ransomware, and modular toolkits like Nymaim, Gozi, TrickBot, IcedID, Gootkit, Dridex, Sage, GandCrab, and JSSLoader.
Has this tactic been used before?
Yes, a similar technique involving Microsoft Teams was used by Russian nation-state actor APT29 in attacks targeting global organizations.
What actions has Microsoft taken?
Microsoft has implemented several security enhancements to block this threat and suspended accounts associated with inauthentic or fraudulent behavior.
What can corporations do to protect themselves?
Corporations should update their security protocols, educate their staff on recognizing phishing attempts, and monitor for any signs of infiltration.
What are the potential consequences of falling victim to this campaign?
The access gained from this phishing campaign can lead to ransomware attacks and further exploitations by other threat actors.
Is this phishing campaign linked to any other cybercrime activities?
Yes, the ransomware-as-a-service (RaaS) actor Sangria Tempest is known to conduct post-exploitation actions once access is afforded by the malware in this campaign.
How does this campaign differ from typical phishing campaigns?
Traditionally, phishing attacks often come via email. This campaign is unique because it uses Microsoft Teams as the method of delivery for the phishing lures.
Is there a way to report suspicious activity related to this campaign?
Yes, corporations and individuals can report suspicious activity to Microsoft's cyber-security division or their own internal IT departments for immediate action.
Kevin Bong was formerly the Director of Corporate Security for Johnson Financial Group, and currently works as an Information Assurance Consultant for SynerComm, Inc.Β Kevin has a BS in Physics and Computer Science from Carroll University, an MS in Information Security Engineering from the SANS Institute, and has earned multiple certifications including PMP and GIAC GSE.Β Kevin is also an amateur astronomer, beekeeper, an author and instructor, and a pretty neat dad. Prior to Impulsec, Kevin workedΒ a Penetration Testing “Drop Box” project similar to the Pwnie Express called the MiniPwner.
Leave a Reply