A phishing attack using a notification from Microsoft Teams in an effort to trick people into revealing their credentials is spreading through emails that use convincing content.
While Microsoft Teams might not seem like an obvious target, the fact that it’s linked to Microsoft Office 365 makes it highly valuable to attackers. Office 365 credentials are a prime commodity on the black market as they can provide access directly into companies’ networks with their valid user names and passwords.
The phishing scheme is direct and follows a well-known recipe. Users receive an email impersonating an automated email from Microsoft Teams. The landing pages users open also look like the real deal, tricking people into believing it’s an actual service from Microsoft.
“In one attack, the email contains a link to a document on a domain used by an established email marketing provider to host static material used for campaigns” explains the advisory from Abnormal Security.
“Within this document there is an image urging the recipient to log in to Microsoft Teams,” it says. “Once the user clicks this image, the URL takes the recipient to a compromised page which impersonates the Microsoft Office login page. In the other attack, the URL redirect is hosted on YouTube, then redirected twice to the final webpage which hosts another Microsoft login phishing credentials site.”
Typically, such links would be immediately identified by security solutions, on servers or installed locally. To evade detection, the attacks use many redirects to conceal the real URL.
The new Microsoft Team phishing campaign is just the latest, and it won’t be the last. Users are advised never to open links from sources or people they don’t know, or at least to verify the authenticity of the sender. Also, never share your Microsoft Office credentials online and only use them for online services you’ve already verified.