Office 365 Users Targeted in Microsoft Teams Phishing Scam

A new Office 365 phishing campaign has been detected by researchers at Abnormal Security that spoofs Microsoft Teams to trick users into visiting a malicious website hosting a phishing form that harvests Office 365 credentials.

Microsoft Teams has been adopted by many organizations to allow remote workers to maintain contact with the office. In healthcare the platform is being used to provide telehealth services to help reduce the numbers of patients visiting healthcare facilities to control the spread of COVID-19.

Microsoft reported in in a June call announcing financial earnings for the quarter ended June 30, 2020 that Microsoft Teams is now used by more than 150 million students and teachers. Over 1,800 different organizations have more than 10,000 Teams users, and 69 organizations have over 100,000 Teams  users. The use of Microsoft Teams in healthcare has also been growing, with 46 million Teams meetings now being conducted for telehealth purposes. The increase in usage due to the pandemic has presented an opportunity for cybercriminals.

According to figures from Abnormal Security, the latest campaign has seen the fake Microsoft Teams emails sent to up to 50,000 Office 365 users so far. The messages appear to be sent from a user with the display name “There’s new activity in Teams,” making the messages appear to be automated notifications from Teams.

The messages advise users to log into Teams as the community is trying to get in touch. The emails include a button to click to login to Teams that has the display text – “Reply in Teams.” The messages include a realistic looking footer with the Microsoft logo and options to install Microsoft Teams on iOS and Android.

The links in the email direct the user to a Microsoft login page that is a carbon copy of the official login prompt, aside from the domain on which the page is hosted. That domain starts with “microsftteams” to make it appear genuine.

The campaign is one of many targeting Office 365 credentials and there have been several campaigns targeting video conferencing platforms in response to the increase in popularity of the solutions during the pandemic.

Emotet Trojan Campaign Uses Fake Microsoft Word Upgrade Notifications

The Emotet Trojan is being spread in a new campaign that uses fake Microsoft Word upgrade notifications as a lure to get users to install the malware. Emotet is the most widely distributed malware currently in use. Infection with the malware sees the user’s device added to a botnet that is used to infect other devices. Emotet is also a malware downloader and is used to install information stealers such as TrickBot and QBot malware, which are used to deliver ransomware variants such as Ryuk, ProLock, and Conti.

The messages appear to be Microsoft Office notifications that advise the user that they need to perform an upgrade of Microsoft Word to add new features. The messages have a Microsoft Word attachment and the user is instructed to Enable Editing and then Enable Content. Doing so will launch a malicious macro which will download Emotet onto the user’s device

Users should exercise caution and should avoid clicking links or opening attachments in unsolicited emails. Since Emotet hijacks the user’s email account to send further phishing emails, the messages may even be sent from an individual in the user’s contact list.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.