The Threat of Teams Phishing

Home / Threat Intelligence bulletins / The Threat of Teams Phishing

Threat Summary

In August, the Quorum Cyber Threat Intelligence (TI) team detected and began reporting on a new malicious campaign targeting organisations via Microsoft Teams. Initially, this campaign appeared to focus on targeting local government entities across the UK, however, the scope quickly expanded and organisations across both the private and public sectors began reporting attacks.

The first accounts of targeting were traced back to a Russian state-sponsored threat actor, Midnight Blizzard (also known as APT29, Cozy Bear). But after widespread reporting on the new technique, additional threat groups have been attributed to similar campaigns. The latest threat groups using this initial exploit method include Storm-0324, a group motived by financial gain, and various other organised crime groups.

Teams Phishing Campaign

The Teams phishing attempts detected by Quorum Cyber’s TI team all follow the same steps and thus early user detection can be easily implemented. These steps are as follows (also see figure 1):

  • The threat actor highly likely conducts low-level social media scraping to determine key members of an organisation
  • The threat actor creates a Microsoft Teams account impersonating the previously determined key member, to increase the effectiveness of the attack attempt
  • Using either leaked target organisation emails or open-source intelligence (OSINT), the threat actor communicates with employees of the target organisation via disguised group chats, thus hiding their ‘external’ banner
  • An attention hook is provided, for example, notification of redundancy.
  • Attached is a .Zip folder containing .LNK files masquerading as PDFs which, once clicked, take the victim to a website hosted by the threat actor from which DarkGate command-and-control (C2) malware is triggered for installation.

Screenshot of Teams Phishing example.

Figure 1: Teams Phishing Example

Midnight Blizzard (APT 29)

Midnight Blizzard is a threat actor group which highly likely has links to the Russian Foreign Intelligence Service (SVR).

Midnight Blizzard has been suspected of being involved in several high-profile attempted intrusions and compromises, including the Office Monkeys campaign in 2014 targeting a Washington D.C.-based private research institute, the Pentagon in 2015, the Democratic National Committee (DNC) and US think tanks in 2016, the Norwegian Government and several Dutch ministries in 2017. The group has also targeted organisations within the education sector that are affiliated with medical research.

During the initial reporting of this new Teams campaign, there is a realistic possibility that the targeting of UK local government was conducted in retaliation to the UK’s continued support for Ukraine.

Storm-0324

Storm-0324 is a threat actor newly designated by Microsoft and is highly likely driven by financial motivations. The group is known to gain initial access using email and Teams phishing for initial exploitation and then hand off access to compromised networks to other threat actors in financial transactions once DarkGate C2 has been installed onto the victim’s machine. These handoffs allow for further threat actor exploitation and frequently lead to ransomware deployment.

DarkGate Malware

DarkGate is a C2 post-exploitation malware that has been active since 2017 but has recently been associated with a significant surge in operations and Teams targeting. DarkGate is a multi-purpose malware toolkit that includes features for evading detection, escalating privileges, remote code execution, keylogging, and data theft from web browsers.

In this latest campaign, Midnight Blizzard, Storm-0324 and various other organised crime groups have been using DarkGate to gain a foothold within a victims’ network and to deploy additional malware in line with their aims and motivations. In most cases, this will be ransomware.

Mitigations and Threat-Led Analytics

In light of this threat, Quorum Cyber has developed new intelligence-led analytics which have been deployed across our customers’ Managed Detection & Response (MDR) environments. These newly created analytics have already been successful in detecting and blocking several malicious attempts of this new technique across our customer base.

Additionally, it is also recommended that members of staff are made aware of this campaign and the signs of initial threat actor interaction (see figure 1).

Signs to be aware of:

  • External user creating a group masquerading as a key individual (usually HR)
  • Associated email address being ‘onmicrosoft[.]com’
  • .Zip file containing LNK files masquerading as PDFs.

 

An Intelligence Terminology Yardstick to showing the likelihood of events