Hackers use Teams for phishing attacks and infiltrating corporate networks.
Microsoft warned about a new phishing campaign that uses Microsoft Teams as a platform to infiltrate corporate networks. The Microsoft Threat Intelligence team tracks a cluster of threats called Storm-0324, also known as TA543 and Sagrid.
Experts note that since July 2023, Storm-0324 has changed its attack methods. If earlier the main vector of infection was email, now attackers are actively using Microsoft Teams chats. The malware delivery tool is an open source tool that allows you to send phishing messages directly through the platform.
Storm-0324 provides malware distribution services, including banking Trojans and ransomware. In previous attacks, cybercriminals used phishing emails with decoy documents in the form of invoices and other financial documents. A new attack method using Microsoft Teams puts corporate networks at risk at a new level, as many companies rely on this platform for internal and external communication.
According to Microsoft, Storm-0324 is an Initial Access Broker (IAB) that sells access to compromised networks. So, the access obtained in this campaign opens up the possibility for other cybercriminal groups to perform post-exploitation actions and deploy various malicious software, including ransomware.
In July 2023, the method of operation was updated: phishing baits are sent through Teams with malicious links leading to a malicious ZIP file hosted on SharePoint. This is achieved by using an open source tool called TeamsPhisher, which allows Teams users to attach files to messages sent to external users . The tool uses an unresolved service security issue to bypass the ban on communicating with external users outside the target organization.
Microsoft has made several security improvements to block the threat, and has blocked certain accounts and customers associated with suspicious or fraudulent activity. The company emphasizes that identifying and eliminating Storm-0324 activity can prevent more dangerous subsequent attacks, such as data extortion.
Microsoft warned about a new phishing campaign that uses Microsoft Teams as a platform to infiltrate corporate networks. The Microsoft Threat Intelligence team tracks a cluster of threats called Storm-0324, also known as TA543 and Sagrid.
Experts note that since July 2023, Storm-0324 has changed its attack methods. If earlier the main vector of infection was email, now attackers are actively using Microsoft Teams chats. The malware delivery tool is an open source tool that allows you to send phishing messages directly through the platform.
Storm-0324 provides malware distribution services, including banking Trojans and ransomware. In previous attacks, cybercriminals used phishing emails with decoy documents in the form of invoices and other financial documents. A new attack method using Microsoft Teams puts corporate networks at risk at a new level, as many companies rely on this platform for internal and external communication.
According to Microsoft, Storm-0324 is an Initial Access Broker (IAB) that sells access to compromised networks. So, the access obtained in this campaign opens up the possibility for other cybercriminal groups to perform post-exploitation actions and deploy various malicious software, including ransomware.
In July 2023, the method of operation was updated: phishing baits are sent through Teams with malicious links leading to a malicious ZIP file hosted on SharePoint. This is achieved by using an open source tool called TeamsPhisher, which allows Teams users to attach files to messages sent to external users . The tool uses an unresolved service security issue to bypass the ban on communicating with external users outside the target organization.
Microsoft has made several security improvements to block the threat, and has blocked certain accounts and customers associated with suspicious or fraudulent activity. The company emphasizes that identifying and eliminating Storm-0324 activity can prevent more dangerous subsequent attacks, such as data extortion.
