Ransomware distributors target Microsoft Teams users

13 Sep 2023

Image: © nikkimeel/Stock.adobe.com

Microsoft said a financially motivated threat actor has turned to Teams as a way to breach networks for future ransomware attacks.

A criminal group that sells compromised network details is targeting Microsoft Teams users with phishing attacks, the company claims.

Microsoft said these hackers use an open-source tool to send phishing lures to Teams chats. The report claims this group – known as Storm-0324 – is a distributor in the cybercriminal economy and are financially motivated.

The group works to gain initial access to organisations, usually though “email-based initial infection vectors”.

This criminal distributor then gives access to the compromised networks to other threat actors. Microsoft said these network handoffs usually lead to future ransomware deployment from notable cyberattackers.

“The actor is known to distribute the JSSLoader malware, which facilitates access for the ransomware-as-a-service actor Sangria Tempest,” Microsoft said in a blogpost. “Previous distribution activity associated with Storm-0324 included the Gozi infostealer and the Nymaim downloader and locker.”

For its latest Teams activity, Microsoft believes the hacking group likely relies on a tool called TeamsPhisher, which lets Teams tenant users attach files to messages sent to external users, which can be “abused by attackers to deliver phishing attachments”.

Microsoft has not revealed how effective Storm-0324’s activity has been on Teams or how many people have been targeted. The company said it has rolled out improvements to better defend against these threats and lists various recommendations on its blogpost.

Mike Newman, CEO of My1Login, predicts that this “sophisticated phishing scam” will catch many victims because they will not realise criminals can “hijack on Microsoft Teams”.

“People understand the techniques criminals can use to send phishing scams via email, but with Teams being seen as an internal communications platform, employees place more trust in the tool and are more likely to open and action documents they receive in chats,” Newman said.

“For organisations that are worried about this threat, it is essential to educate employees on all the different techniques criminals can use to launch phishing attacks – from emails, phone calls, SMS to messaging platforms.”

Earlier this year, BlackBerry’s Dmitry Bestuzhev discussed the rising threat of initial access brokers, which sell stolen data on organisations to aid other cyberattacks. A similar type of cyberattacker was also detected in a ‘honeypot’ study that grouped attackers based on their behaviours.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic