The Microsoft Teams collaboration platform is very often used during the pandemic COVID-19, with Microsoft announcing on March 30 that the platform has reached them 75 million daily users (DAU) (70% increase since March 19, when it reported 44 million users).
What makes these phishing emails even more dangerous is that users are constantly receiving notifications from various online sites. services cooperation, used to maintain contacts between partners, friends and relatives.
Cloning login pages to steal his accounts Microsoft Office 365
What makes these attacks special is the cloning of Microsoft Teams notifications.
"It simply came to our notice then actual images used by the legal provider, the recipient believes that it is a legitimate e-mail ", said the researchers. "This is especially true for mobile phones, where images take up most of the screen."
Some of the phishing emails found by the researchers alert them victims for offline audio messages and invite them to listen. Other emails say their partners are trying to get in touch with them through Microsoft Teams.
The latter also provide links to install the Teams client on iOS devices and Android.
This phishing campaign can bypass some Secure Email Gateways (SEGs) and persuade many more targets to visit Phishing page.
To avoid protection services, intruders use many redirects with the ultimate goal of hiding the URL address used to host the phishing campaign.
For example, in one of the attacks, “initially the link leads to YouTube and then redirects twice until it leads the victim to the final page that hosts the phishing Microsoft site it requests. credentials"
In another version of these attacks, the phishing email is sent from a recently registered domain, the sharepointonline-irs [.] com, which is not related to Microsoft or the US Internal Revenue Service (IRS), although it is trying to convince the targets to the contrary.
Phishing pages also use them same graphics displayed in Microsoft Teams website notifications. Therefore, the message is very convincing.
The victims arrive at the phishing site of Office 365 and are asked to put their credentials.
"If the recipient falls victim to this attack, these credentials will be violated," the researchers explained.
"It simply came to our notice then Microsoft Teams is connected to Microsoft Office 365, the intruder may have access to other available information with the user's Microsoft credentials via single-sign-on ”.
Microsoft Teams, phishing and theft credentials
The Microsoft Teams client was recently fixed to address a vulnerability security which allowed the intruders to take control of user accounts by sending a GIF.
Hackers use a variety of ways to steal Office 365 account credentials. Therefore, users must be very careful not to put their data in links found in emails.