Hackers hide behind fake Microsoft Teams notification to steal victim credentials

News by Rene Millman

Credential stealing attack uses Microsoft Teams notificaiton, numerous URL redirects, to conceal from email protection services.

Security researcher have found that hackers are impersonating a notification from Microsoft Teams to steal the credentials of employees.

According to a blog post by Abnormal Security, cybercriminals have crafted convincing emails that impersonate automated notification emails from Microsoft Teams.

The landing pages that host both attacks look identical to the real webpages, and the imagery used is copied from actual notifications and emails from this provider. In one of the attacks, the sender email originates from a recently registered domain, “sharepointonline-irs.com”, which is not associated to either Microsoft or the IRS, according to researchers.

They added that the attack uses numerous URL redirects to conceal the real URL used that hosts the attacks. This tactic is employed in an attempt to bypass malicious link detection used by email protection services.

“In one attack, the email contains a link to a document on a domain used by an established email marketing provider to host static material used for campaigns. Within this document there is an image urging the recipient to log in to Microsoft Teams. Once the user clicks this image, the URL takes the recipient to a compromised page which impersonates the Microsoft Office login page,” said researchers.

Another attack saw a URL redirect hosted on YouTube, then redirected twice to the final webpage which hosted another Microsoft login phishing credentials site.

Researchers warned that should the recipient fall victim to this attack, this user’s credentials would be compromised. “Additionally, since Microsoft Teams is linked to Microsoft Office 365, the attacker may have access to other information available with the user’s Microsoft credentials via single-sign on,” they added.

Researchers said the attacks were effective as the email and landing page the attackers created were convincing.

“The webpages and the links the email direct to are visually identical to legitimate Microsoft Teams and Microsoft login pages. Recipients would be hard-pressed to understand that these sites were set up to misdirect and deceive them to steal their credentials,” said researchers.

Ed Bishop, chief technology officer at Tessian, told SC Media UK that opportunistic hackers are taking advantage of the fact that people are working remotely, impersonating trusted collaboration tools like Microsoft Teams and Zoom to trick people into clicking malicious links to fake websites and sharing credentials.

“It's critical that business leaders and IT security teams educate staff about the threats on email at this time and provide simple advice on how to spot a potential scam when they're away from the office,” he said.

Chris Bates, CISO at SentinelOne, told SC Media UK that a patch was announced on 20 April and users should update immediately.

“It’s also a good idea to develop the habit of never clicking a link from an email. Avoid clicking links or dialling telephone numbers that request personal information, credit card numbers, or account passwords. Instead, go to the page from a bookmark in your browser, or look up the address in an internet search engine. Similarly, always double-check any phone number you’re asked to call either through a web search or looking at your previous correspondence,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews