Skip to content

Attackers Prey on Microsoft Teams Accounts to Steal Credentials

Posted by Geraldine Hunt on Thu, Oct 29th, 2020

With many employees working from home, cyber-criminals have changed their phishing emails to look like many of the collaboration tools on the market. One such attack targets companies using Microsoft Teams. Microsoft Teams is a popular collaboration tool in the enterprise, and recent phishing emails trick users into divulging their system credentials. The attack is devastating for organizations as Teams stores user information and intellectual property that could expose corporate strategies.

How the Attack Works

If you’re familiar with Microsoft Teams, you know that activity on the platform triggers a message to users. When a message is sent to a particular user, this user receives an email alerting them to the message. The user can click a link in email or reply to the message in Teams by replying to the email. When users click the link, the Teams site opens where they log in and then reply.

With this new attack, phishers send an email to the targeted user with a message that says “There’s new activity in Teams,” making it appear like an automated notification from Microsoft Teams. It then notifies the user that their teammates are trying to reach them and urges the recipient to click “Reply in Teams.” The “Reply in Teams” link opens an attacker-controlled page tricking the user into entering their credentials.

It’s easy to fall victim to these attacks, as the phishing page is made to look like the Teams login page. Users who do not look at the URL in their web browser will quickly enter their credentials, and at this point it’s too late. The credentials are sent to the attacker, and the attacker can now use this information to log into other accounts including the business network. If the user quickly realizes the mistake, credentials can be changed, but for corporate users this could require a call to IT support to ensure that other areas of the network are secure from attackers. By the time credentials and accounts are secured, the attacker could already compromise the network.

Stopping Microsoft Teams Phishing Attacks

Users should know that a new Microsoft Teams attack targets enterprise email accounts, but even educated users could fall victim to a well-designed attack. It’s best not to log into a website after clicking a link in an email. Instead, type the domain in the browser and enter credentials there. Users can also take note of the domain in the URL to ensure that the website is the official Microsoft domain.

Corporations shouldn’t rely only on users to recognize phishing attacks. Even users familiar with phishing attacks and their red flags can be busy one day, click a link in email, and be too distracted to realize it’s an attack site. Instead of relying solely on users, administrators can use email cybersecurity to block phishing sites and others that send malicious attachments to corporate recipients.

Email cybersecurity stops phishing emails from being inboxed, meaning users never receive the phishing emails. Attackers use spoofed sender email addresses, and this tactic will not work when the organization implements SPF (Sender Policy Framework) records on their DNS server. An SPF record tells the recipient’s server to reject or quarantine messages that come from an email server that is not listed on the DNS server.

Messages that do not pass the SPF record validation can be quarantined, completely dropped, or they go to the user’s spam box. Quarantined messages can be reviewed by administrators to ensure that it’s not a false positive, but a flood of phishing emails could mean that the organization is under attack by a specific cyber-criminal. The advantage of using email security with a quarantine feature is that it helps administrators identify attacks, alert users, and avoid frustrations from false positives.

Another email cybersecurity feature is DMARC (Domain-based Message Authentication, Reporting & Conformance). SPF is a part of DMARC standards, but your email cybersecurity should include DMARC rules. These rules will tell the server what to do when a suspicious email is received. Administrators use DMARC to stop phishing emails as well as ones with malicious attachments that could be used to compromise the user’s local device.

DMARC and SPF rules are the foundation of good email security, and they will block phishing emails including the Microsoft Teams attack. Users should still be educated to detect these attacks, but blocking emails from reaching the recipient’s inbox is the best way to stop your organization from becoming the next victim of a data breach.

ou will no doubt already have a spam filtering solution in place, but is it effective? Are phishing emails still being delivered? One common mistake made by SMBs is to believe that their Office 365 environment is well protected by default, when the reality is Exchange Online Protection (EOP) that comes with Office 365 fails to block many phishing attempts. One study showed 25% of phishing emails were not blocked by EOP. If you want to improve your defenses against phishing, you should use a third-party anti-spam and anti-phishing solution on top of EOP: One that compliments EOP but provides greater protection. SpamTitan for example.

With more phishing emails being blocked, your security posture will be much improved, but you can’t stop there. No anti-phishing solution will block all phishing threats, 100% of the time. Since all it takes is for one phishing email to be clicked for a data breach to occur, you need to add another layer to your defenses.

A DNS filtering solution provides protection against the web-based part of phishing attacks. When an employee clicks a link in an email and is directed to a fake Office 365 login page or a site where malware is downloaded, the attempt to access the site will be blocked.

A DNS filter blocks attempts to access phishing sites at the DNS lookup stage, before any web content is downloaded. If an attempt is made to access a phishing site, the employee will be directed to a block page before any harm is done. DNS filters can also block malware downloads from sites that are not yet known to be malicious.

Implementation isn't always simple, it requires planning and expertise.  Relying on a single security layer is no longer wise in today’s threat landscape. Organizations need to focus on the data they are protecting and build layers of security around it. Your clients and your bottom line will thank you.

If you’re interested in learning how TitanHQ can enable you to implement a comprehensive layered security approach for your users and customers please get in touch with us today.

Related Articles

Never Miss a Blog Post

Sign-up for email updates...

Get Your 14 Day Free Trial

Talk to Our Email and DNS Security Team

Call us on US +1 813 304 2544

Contact Us