Collaboration apps are a boost to business productivity, but also a uniquely attractive target for cyberattackers.
September 14, 2023
In a campaign carried out this summer, an initial access broker (IAB) used an open source red-team tool to phish organizations via Microsoft Teams, paving the way for follow-on attacks.
The responsible party — known variously as TA543, Storm-0324, and Sagrid — is a financially-motivated threat actor known for using phishing emails to breach targets, before passing the buck to ransomware groups. But in its latest efforts, revealed by Microsoft on Sept. 12, it took a different approach: using Microsoft's collaboration app to dupe the unsuspecting and create its openings, via the tool known as TeamsPhisher.
The attacks occurred amid a wave of news about other, unrelated vulnerabilities and breaches affecting the Teams platform, providing yet more evidence that researchers and hackers alike are becoming more interested in business communications apps, even after workforces have returned to the office.
Because Microsoft Teams is typically used within, rather than between organizations, it normally isn't possible to, say, send a random file to a user from another Teams tenant (organization).
But researchers have been finding workarounds to that hurdle for a while now. In December, a red team operator described on Medium how a little spoofing here and some trickery there could undermine basic security controls in Teams chat, like the ability to start a new chat or erase the "Edited" tag on an edited message.
Similarly, in June, two security researchers developed an exploit for an insecure direct object reference (IDOR) vulnerability, enabling them to bypass Teams' client-side security controls to send files to external tenants. In acknowledging the vulnerability, Microsoft informed the researchers that it "did not meet the bar for immediate servicing."
And in July, red-team developer Alex Reid proved Microsoft wrong, combining the work of prior researchers to create TeamsPhisher, a tool for simplifying the process of sending messages and files to external Teams tenants. In its Github entry, Reid described how simply it works:
Give TeamsPhisher an attachment, a message, and a list of target Teams users. It will upload the attachment to the sender's Sharepoint, and then iterate through the list of targets. TeamsPhisher will first enumerate the target user and ensure that the user exists and can receive external messages. It will then create a new thread with the target user…With the new thread created between our sender and the target, the specified message will be sent to the user along with a link to the attachment in SharePoint.
According to Microsoft's research, the Storm-0324 threat actor seems to have pounced on the tool within the very same month it was published.
All of this could spell trouble for organizations down the line. In the past, Storm-0324 has most often used its unauthorized corporate network access to distribute the JSSLoader, then hand over the keys to the notorious financial and ransomware actor FIN7 (aka Sangria Tempest, ELBRUS, Carbon Spider, Carbanak Group, and Cobalt Group).
In its blog, Microsoft felt the need to distinguish Storm-0324's campaign from another phishing campaign affecting Teams environments, carried out by a different threat actor, Midnight Blizzard (aka Nobelium, APT29, UNC2452, and Cozy Bear).
To Steven Spadaccini, vice president of threat intelligence for SafeGuard Cyber, it makes sense that threat actors are increasingly targeting Microsoft's collaboration app.
"Most business communications today take place outside of traditional email, in collaboration apps like Microsoft Teams. Attackers know this too and are tailoring their attack mechanisms for these high traffic cloud workplace channels," he says, adding that "the application's proximity to the rest of the device, and all the other apps on that device, make it a potential entry-point for serious trouble, and account compromise is a key security concern."
Often in fact, organizations don't even realize just how valuable their Teams environments are. Spadaccini cites a recent personal experience, auditing the Teams channel for a healthcare company.
"We determined that 30% of the customer's business communications occurred in Teams," he says. "This quantifies the continuous stream of risk to the company and the potential avenues for compromise such as data exfiltration and/or IP loss," he says.
According to Justin Klein Keane, director of the cyber fusion center and incident response at MorganFranklin Consulting, Teams doesn't yet face the extent of threats seen on other messaging and productivity platforms.
"We have definitely observed targeted attacks using collaboration apps," he says, "but surprisingly, Teams is not frequently a component of these attacks, probably owing to its enterprise tenancy and integration with Microsoft Defender for Office 365, which provides for some tight operational controls over Teams (probably leading to Microsoft being able to identify attacks on Teams). Other, more distributed platforms like Discord, Slack, and Telegram have been observed by our Security Operations Center (SOC) as components of attacks."
TeamsPhisher and related attacks that do occur over Teams can be prevented by simply toggling off the ability for users in a Microsoft tenant to engage with users of external tenants. But according to Spadaccini, that's just a start towards real, comprehensive protection.
"Securing users' account settings is a good place to begin, but organizations can go a step further by gaining full visibility into their Microsoft Teams communications to monitor for malicious activity and establishing Microsoft Teams security protocols with solutions that will allow them to customize their policies, and quickly apply those policies across the entire channel," he says. "If a company can keep an all-seeing eye on potential threats and manage them from one central hub within its organization, they can leave no risks unseen."
Nate Nelson, Contributing Writer
Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" — an award-winning Top 20 tech podcast on Apple and Spotify — and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.
You May Also Like
2024 API Security Trends & Predictions
What’s In Your Cloud?
Everything You Need to Know About DNS Attacks
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Passwords Are Passe: Next Gen Authentication Addresses Today’s Threats
The State of Supply Chain Threats
What Ransomware Groups Look for in Enterprise Victims
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks
Defending Corporate Executives and VIPs from Cyberattacks
The Impact of XDR in the Modern SOC
The Rise of Extended Detection & Response
5 Reasons To Move your PKI Deployment to the Cloud
2021 Gartner Market Guide for Managed Detection and Response Report
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Copyright © 2023 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.
Leave a Reply