Hackers are using Microsoft Teams to spread phishing, vishing, and quishing campaigns, using social engineering to trick victims into sharing important private data. As one of the most popular collaborative work tools worldwide, there are millions of potential victims—but there are a few handy ways to spot a Microsoft Teams scam.
Table of Contents
Toggle MFA Authentication Scam
Believed to be the same group behind the SolarWinds attack, this scam circumvents multifactor authentication using social engineering tactics. Attackers use previously compromised Microsoft 365 tenants to create a new security-themed “onmicrosoft.com” subdomain and add a new user. The actors also change the tenant name to “Microsoft Identity Protection” or something similar.
Next, they send the target a request to chat. If the user accepts it, they are sent an MS Teams message with a code, where they’re next convinced to enter this number into the Microsoft Authenticator app on their device. Once the target enters the code into the authenticator app, the hacker gains access to the target’s Microsoft 365 account. The attacker will then pilfer information from the MS 365 tenant or add a managed device to the organization.
Black Basta Ransomware Attack
The notorious Black Blasta ransomware group also targets Microsoft Teams logins, using a social engineering campaign to bombard email addresses with spam. The hackers contact the MS Teams user posing as IT support or a corporate help desk, offering to fix the ongoing spam issue, which typically comprises non-malicious emails like sign-up confirmations, newsletters, or email verifications meant to overwhelm the user’s inbox.
Next, the hacker calls the overwhelmed employee and attempts to have them install a remote desktop access tool, where they can take over the user’s machine. Once they have control, they can install a range of malware, including a remote access Trojan (RAT), Cobalt Strike, DarkGate malware, and other dangerous payloads. Ultimately, Black Blasta gains complete control of the machine, and can exfiltrate as much data from the network as possible.
Microsoft Teams Fake Job Scam
Fake job scams have been around for a while, preying on people looking for a job, and scammers use Microsoft Teams chat to exploit victims. Attackers email you about a fake job and suggest using Microsoft Teams to conduct the interview. Now, here’s the first red flag: the whole interview will be conducted via chat.
Then, you will be offered a fake job and asked to submit your information to the company database. Some victims receive a Google Doc requesting their PII and social/tax number. In some instances, victims are asked to purchase items supposedly used to conduct the job, pay a fee to be hired, or purchase gift cards, among the most common signs that the job offer isn’t legitimate.
Microsoft Teams HR Spoofing Using Malicious ZIP Files
Not only are attackers spoofing IT support teams, but they’re also impersonating HR personnel. Initially observed in 2023, the attack starts with a message from someone posing as HR personnel using a previously compromised Microsoft 365 account. In some cases, the attacker even posed as the company’s CEO.
The target receives a phishing message explaining that there will be changes to the employee’s vacation schedule and that some employees, including the victim, are impacted. The phishing message contains a download link to the supposed new schedule, which is actually a link to the DarkGate malware. If the malicious file is executed on the target machine, it will install the malware, giving the attacker complete access to the device and its data.
Malicious PDF File Sent Through Microsoft Teams
Attackers also use compromised Microsoft 365 accounts to send malicious executables designed as PDF files. This attack starts with a Microsoft Teams chat invite, which, if accepted, actually downloads an apparently harmless PDF file. However, it’s really a malicious executable that uses a double extension to trick you. So, where the extension appears to be a PDF, it’s actually an EXE.
The file is typically named with something requiring immediate action, such as “Navigating Future Changes.pdf.msi,” which, once opened, actually downloads malware.
How to Protect Yourself
You should always be careful with external messages and invites you receive on Microsoft Teams. Even if it seems like it’s from someone, it’s best to double-check, especially if it involves a file, a link, or an invitation to a chat you weren’t expecting to receive. Never give control of your device to a third party unless you have verified that it is from a legitimate representative of your IT team. Be wary of urgent calls to action in emails and messages, as these are often designed to make you act first before you think.
Other ways to protect yourself from phishing scams include using link-checking sites to determine if a link is safe or domain-age checking sites that let you see the accurate age of a domain. Malicious phishing sites will typically be only a few days, weeks, or months old and often mimic addresses to try and catch you off-guard.