News

A new attack vector has been identified specific to those organizations that use Microsoft Teams for collaboration with internal teams as well as with your customers. The phishing campaign pretends to be an automated message from Microsoft Teams. In reality, the attack aims to steal Office 365 recipients’ login credentials.

Teams is Microsoft’s popular collaboration tool, which has particularly risen in popularity among remote workforces during the pandemic. This particular campaign was sent to between 15,000 to 50,000 Office 365 users with suspicion that additional campaigns will be forthcoming. Because Microsoft Teams is an instant-messaging service, recipients of this notification might be more apt to click on it so that they can respond quickly to whatever message they think they may have missed based on the notification.

The initial phishing email displays the name “There’s new activity in Teams,” making it appear like an automated notification from Microsoft Teams. Within the body of the email, there are three links appearing as ‘Microsoft Teams’, ‘(contact) sent a message in instant messenger’, and ‘Reply in Teams’,” according to researchers. Clicking on any of these leads to a fake website that impersonates the Microsoft login page. The phishing page asks the recipient to enter their email and password.

Further, the phishing landing page also looks convincingly like a Microsoft login page with the start of the URL containing “microsftteams.” If recipients are convinced to input their Microsoft credentials into the page, they are unwittingly handing them over to attackers, who can then use them for an array of malicious purposes – including account takeover. See one sample of the phishing email below.​​​​​​​

In May, a similar convincing campaign that impersonated notifications from Microsoft Teams in order to steal the Office 365 credentials of employees circulated, with two separate attacks that targeted as many as 50,000 different Teams users.

Users are warned to be diligent in reading all invites such as described above and when in doubt, delete the email and not click on any of the display areas.​​​​​​​

Please reach out to us with your concerns or for more information on how to protect yourself and your business.

While bad actors continue their denial-of-service for ransom activities, SRG would like to remind all clients and businesses to continue your due diligence as you work to protect your company assets:

Actors claiming to be various Advanced Persistent Threat (APT) groups have been threatening to carry out large-scale distributed denial-of-service attacks for ransom, commonly known as Ransom DoS (RDoS). Recent reported threats were against the financial sector, globally and in Canada, but other sectors are expected to be subject to the same activities. The threats are typically accompanied by short Distributed Denial of Service attacks (DDoS) that are intended to demonstrate the actor’s capability.

Details vary from case to case but the core elements are as follows:

• An organization is approached via e-mail by an actor identifying explicitly as a well-known APT, indicating an intent to demonstrate the capability to disrupt the organization’s infrastructure, and demanding a specific payment in Bitcoin be made. In return for payment, the actor undertakes to refrain from further activity.
• A short time after the e-mail is sent, the targeted organization’s infrastructure is subjected to a relatively short DDoS, as threatened in the e-mail.

There are reports across Canada of such activity where the subject line of the ransom email is: “DDoS Attack on <organization name>’s network”. The email specifies a date on which the organization’s network would be subjected to a DDoS attack and imply that a small-scale attack on a specific IP address range will be carried out immediately to prove the message was not a hoax. The mail demands a ransom amount, to be paid in Bitcoin, to avoid a larger and sustained attack. The ransom attack then escalates daily with non-payment.

The following denial-of-service techniques have been reported:

• UDP flooding;
• DNS amplification;
• NTP amplification;
• CLDAP amplification;
• IP Fragmentation; and possibly others.

Recommended Protection Activities are as follows:

• Work with your cloud and Internet service providers to implement service-level agreements that include DoS defence provisions. Your service providers may use multiple tools and techniques to help your organization protect itself against DoS attacks.
• Ensure your system administrators are familiar with DoS protection services. Familiarity with these services can help them effectively rate limit or whitelist.
• Monitor network and systems. Configure monitoring tools to alert you when there is an increase in traffic (outside of your baseline) or any suspicious traffic overloading a site.
• Install and configure firewalls and intrusion prevention systems. You can use these tools to monitor traffic and block known-malicious and illegitimate traffic.
• Update and patch operating systems and applications. Update and patch systems and applications, including your firewalls, to ensure that security issues are addressed and prevent threat actors from taking advantage of vulnerabilities.
• Defend your network perimeter. To protect your network, use a layered approach to security by implementing multiple controls and techniques.
• Plan for an attack. Have a recovery plan that prioritizes systems and processes based on their tolerable downtime. You should also identify points of contact and an incident response team.
• Monitor for inbound e-mails to publicly available addresses where addressing and subject line is similar to that provided above.

Reach out to us with your concerns or for more information on how to protect yourself or your business.