We’re constantly warning about the threats of phishing schemes and other similar attacks, and for good reason — they still remain the most common way that cyberattacks and other digital threats originate.
Well, we wish this post were different, but instead it’s just a little bit worse: now the threat could be coming from inside the house.
Here’s what we mean, and what to watch out for.
New Threat: Attackers Sending Messages Within Microsoft Teams
The new threat, first identified by Sophos and reported on in Security Week, is an attack that uses Microsoft Teams. The threat actors who got caught using this attack exploited a vulnerability in Microsoft Teams — more specifically, in one of its default configurations. Millions of companies rely on these default configurations, so we’d say it’s a pretty big vulnerability!
The Scam’s Architecture
Here’s how the scam played out. First, the bad guys sent a ton of spammy messages through Microsoft Teams. These were obvious, intended to be “caught.” Users were supposed to see them and say, “yeah, something ain’t right.”
It’s what happened next that’s surprising.
After users saw the spam messages, the attackers initiated a Teams call — yes, from right within the organization’s Teams environment — that looked like it came from “Help Desk Manager.” The scammers warned the users that their account had been compromised, promising to walk the user through a recovery process.
Of course, there was no recovery process, because “Help Desk Manager” was the scammer. The scammer’s first step was to request remote control of the user’s machine (something that, again, real helpdesks might actually do). But once the scammer had control, instead of doing anything helpful, the scammer moved files to the machine and installed malware that itself installed numerous backdoors (giving the attacker ongoing access indefinitely!).
A Second Attack Went Further
A second attack using the same basic structure went even further. This one also stole employee credentials, gaining access to a legitimate business account. From there the attackers “moved laterally” on the network, which means they started poking around other network locations to see what they could steal or break.
Why This Matters for Your Business
This attack was pretty unsettling because most users are just starting to get a clearer sense of how to recognize spam in the usual places, like their email inboxes and text messages.
But almost no one is evaluating their interactions on Microsoft Teams, wondering if internal messages and calls from “IT” might themselves be a new level of phishing scheme! We tend to think of Teams as a safe internal space, because that’s what it’s supposed to be.
Now is a good moment for a little introspection:
- What would your average employee do if they received an urgent email purporting to be from IT?
- What if it were a Teams message instead?
- Do your employees know the warning signs that a message likely isn’t legit?
It’s also a good moment to make sure your team knows who’s taking care of their IT support. Do you have an internal IT team? Do you work with an outside vendor like us? Whoever is handling this function should be able to clearly identify themselves in an authentic way, something that most attackers won’t be able to do.
Look for other tell-tale warning signs, too: is this person asking for things that are unusual? Are they warning of a problem you can’t seem to find any other evidence of? If so, scam likelihood is high.
Next Steps
Microsoft is doubtless at work patching this vulnerability, so the good news is this particular problem likely won’t be live for long. But it’s just a matter of time until the next one.
So what are your next steps?
- Ensure machines are up to date (software and OS) using the latest security updates.
- Train your team on recognizing the signs of phishing and fraud.
- Work with a partner like us to secure your systems and handle that training.
Reach out to our team anytime for help or guidance!