In a recent campaign conducted over the summer, an initial access broker (IAB) targeted organizations using an open-source red team tool to launch phishing attacks via Microsoft Teams. This strategy allowed the threat actor, known as TA543, Storm-0324, or Sagrid, to exploit unsuspecting users and pave the way for subsequent cyberattacks. Microsoft revealed these findings on September 12, shedding light on the evolving tactics employed by financially-motivated threat actors.
Traditionally, TA543 has relied on phishing emails to breach targets before collaborating with ransomware groups. However, this time the threat actor took a different approach by leveraging Microsoft’s collaboration app to deceive and infiltrate organizations. The tool used in this campaign, TeamsPhisher, allowed the attacker to exploit vulnerabilities in Teams’ client-side security controls and bypass basic security measures.
Microsoft Teams, being a communication platform predominantly used within organizations, has limited functionality for sending files to users from external Teams tenants. Yet, researchers have identified various workarounds to exploit these limitations. For instance, by manipulating security controls, such as erasing the “Edited” tag on a message or starting a new chat, threat actors can undermine the platform’s security features.
Additionally, security researchers discovered an insecure direct object reference (IDOR) vulnerability in Teams, enabling them to send files to external tenants. Although Microsoft initially stated that it did not meet the requirements for immediate attention, a red-team developer named Alex Reid successfully combined the work of prior researchers to create TeamsPhisher. This tool streamlines the process of sending messages and files to external Teams tenants, proving that attackers can exploit the vulnerability despite Microsoft’s stance.
According to Microsoft’s investigation, Storm-0324 swiftly adopted TeamsPhisher soon after it was made available. This development raises concerns for organizations as Storm-0324 typically employs unauthorized corporate network access to distribute the JSSLoader and collaborate with the notorious financial and ransomware actor FIN7. This threat group, known by various aliases such as Sangria Tempest, ELBRUS, Carbon Spider, Carbanak Group, and Cobalt Group, is notorious for its sophisticated attacks on financial institutions.
The growing interest in targeting business communication apps, like Microsoft Teams, reflects the evolving cyber threat landscape. Researchers and hackers are increasingly focusing on these platforms, even as workforces transition back to physical offices. For instance, another phishing campaign affecting Teams environments has been attributed to a different threat actor called Midnight Blizzard.
Steven Spadaccini, the vice president of threat intelligence for SafeGuard Cyber, emphasizes the attractiveness of collaboration apps like Teams for threat actors. Business communications beyond traditional email increasingly occur through these platforms, prompting attackers to tailor their strategies accordingly. Spadaccini warns that compromised accounts on Teams can lead to further security concerns and potential data exfiltration or intellectual property loss. He further highlights the need for organizations to recognize the value and risks associated with their Teams environments.
Justin Klein Keane, the director of the Cyber Fusion Center and Incident Response at MorganFranklin Consulting, notes that while targeted attacks using collaboration apps are observed, Teams does not face the same extent of threats seen on other messaging and productivity platforms. The tight integration of Teams with Microsoft Defender for Office 365 provides operational controls that enable the identification of attacks. Keane mentions that other platforms like Discord, Slack, and Telegram have been more frequently used in attacks.
To mitigate threats like TeamsPhisher and related attacks, organizations can disable the ability for users in a Microsoft tenant to engage with users from external tenants. However, Spadaccini advises that this measure alone is insufficient for comprehensive protection. He recommends securing users’ account settings and implementing solutions that provide full visibility into Microsoft Teams communications. By monitoring for malicious activity and establishing customized security protocols, organizations can swiftly detect and manage potential threats.
In conclusion, the recent campaign by Storm-0324 highlights the evolving tactics employed by threat actors to exploit vulnerabilities in widely-used collaboration apps like Microsoft Teams. The attack, conducted through TeamsPhisher, exposes the need for organizations to enhance their security measures and employ comprehensive solutions to safeguard their Teams environments from potential cyber threats.