Collaboration apps have become a crucial tool for business productivity, but they are now an enticing target for cybercriminals.
In a recent campaign conducted over the summer, an initial access broker (IAB) used an open-source red-team tool to execute phishing attacks via Microsoft Teams, creating opportunities for subsequent cyberattacks. The threat actor behind this operation, known by various names such as TA543, Storm-0324, and Sagrid, is motivated by financial gain and is notorious for using phishing emails to breach targets, often collaborating with ransomware groups. In this latest endeavor, revealed by Microsoft on September 12, they utilized Microsoft’s collaboration app to deceive users and exploit vulnerabilities, employing a tool called TeamsPhisher.
These attacks occurred amid a wave of unrelated vulnerabilities and breaches affecting the Teams platform, highlighting the increasing interest of both researchers and hackers in targeting business communication apps, even as workplaces transition back to in-office settings.
Microsoft Teams, primarily designed for use within organizations, typically doesn’t allow random file exchanges between different tenants. However, researchers have been finding ways to bypass this restriction, undermining basic security controls. This includes using spoofing techniques to manipulate Teams chat functions and exploiting vulnerabilities like insecure direct object reference (IDOR) to send files to external tenants.
In July, a red-team developer named Alex Reid developed TeamsPhisher, a tool designed to simplify sending messages and files to external Teams tenants. Microsoft’s research indicates that the Storm-0324 threat actor quickly seized upon this tool in the same month it was made available.
While these developments may not pose an immediate threat to organizations, they underscore the growing trend of cybercriminals targeting communication apps like Microsoft Teams. Steven Spadaccini, vice president of threat intelligence for SafeGuard Cyber, notes that these apps are now central to business communications, making them a prime target for attackers. Organizations must be proactive in securing their Teams environments, as the risks include data exfiltration and IP loss.
Justin Klein Keane, director of the cyber fusion center and incident response at MorganFranklin Consulting, points out that Teams currently faces fewer threats compared to other messaging and productivity platforms due to its integration with Microsoft Defender for Office 365. However, he emphasizes the need for organizations to establish comprehensive security protocols and monitoring to safeguard against potential threats on Teams.