Microsoft Teams Phishing Attacks: Fake Tech Support Scams and Email Bombs
Geraldine Hunt
Scams involving fake technical support are nothing new. Pretending to be someone who can sort out a problem, perhaps help fix a computer problem, is a classic cybercriminal tactic. These criminals prey on fear and anxiety and exploit trust. The FBI’s IC3 fraud report 2023 found that tech support scams were the third costliest scam, with 37,500 complaints made in the U.S. alone, resulting in over $924 million in losses.
However, cybercriminals are rarely complacent. As the techniques and tactics of each scam become understood, and the security industry responds with updated measures, attackers up their cyber threat game. A new and ingenious tactic based on the tech support scam, deploying mass phishing attacks and exploiting MS Teams, has arrived. But how does this affect an MSP, and what can be done to mitigate its impact on your clients?
Ransomware, Email Bombs, and MS Teams: a Match Made in Cybercrime Heaven.
Phishing emails have become synonymous with ransomware infections, with cybercriminals often choosing email phishing to begin the sequence of events that lead to ransomware. These phishing attacks lure and manipulate employees and supply chain members alike. The top three consequences of phishing include credential theft, data breach, and ransomware infection.
However, keeping up the success rate afforded by phishing attacks when used to deliver ransomware means that cybercriminals must evolve new tactics to evade detection. This latest ransomware tactic update is based on a tech support scam with some dangerous modifications. The attackers use an ingenious mix of phishing attacks, social engineering, standard tech support tools, and the trust afforded to an MSP. The attackers are typically part of hacking gangs, like Black Basta Ransomware and FIN7, renowned for using phishing attacks to initiate ransomware infections. The Black Basta gang has also recently been noted as using QR Codes as part of the attack chain, allowing them to circumvent multi-factor authentication (MFA) once they have stolen user credentials.
The steps to ransomware infection and data theft in this latest tech support scam typically look like this:
Step One:
The attackers send out “email bombs” as part of a phishing attack to targeted employees. This involves sending thousands of emails over a brief period: One of the targeted employees had 3,000 emails enter their inbox in 45 minutes. This flood of emails is meant to cause anxiety and fear and generate a sense of urgency in the victim.
Step Two:
The next stage is F2F or voice-based (Vishing) for the social engineering of the victim. In this tech support scam update, the target is called by a “Help Desk Manager” from an MSP via a video call in MS Teams. The target company uses an MSP, so this is not unusual. The attacker can control the Teams meeting using the default Microsoft Teams configuration, as Teams permits calls and chats from external domains.
Step Three:
The help desk manager, aka attacker, convinces the victim to set up a remote screen control session using the Teams built-in remote control and QuickAssist. All the while, the targeted employee is not aware that this is a hoax. The remote-control session, opened by the employee, is the way into the enterprise network.
Step Four:
The infection stage involves several steps initiated via the remote-control session, using tools like ScreenConnect and NetSupport Manager. This allows the attacker to execute malicious files and run PowerShell commands.
There are several variants of the MS Teams email bombing campaign, but all result in infection by malware like Qakbot, Cobalt Strike, and Black Basta ransomware.
The MSP's Role in Preventing Tech Support Scams
In this latest phishing bomb, the attacker exploits the trusted MSP role. An MSP is a critical relationship for a client that, if broken, can be a challenge to repair. The last thing an MSP needs is for a cybercriminal to damage its reputation. Fortunately, an MSP can fight back and stop these new forms of inventive cyber threats.
The prepared MSP must offer its customer base multiple phishing and social engineering detection and prevention layers. These layers can help to stop even insidious and multi-part phishing attacks, protecting the client organization and upholding the reputation of the MSP as a trusted outsourced security partner. The multiple layers needed to prevent a phishing attack that uses email bombs and social engineering comprise the following:
Phishing Protection
The email bomb is at the core of this tech support scam. An AI-driven phishing protection solution will provide best-in-class phishing protection for M365 with an additional layer of security. TitanHQ phishing protection employs layers of analysis and machine learning (ML) models to detect phishing emails. Curated feeds identify malicious URLs, providing cutting-edge defense against phishing threats and catching threats Microsoft misses.
Additional functionality, like auto-remediation, identifies and removes emails containing malicious URLs. These robust cross-tenant features are critical for detection and response.
Security Awareness Training as a Service
A core part of the tech support scam is social engineering. If the worst-case scenario occurs and the attackers gain access to their target employee, that person must be prepared. Security awareness training will help educate employees about attacks, such as this complicated tech support scam, email bombs, and general phishing attacks. This will make them vigilant and knowledgeable. An employee can then use the knowledge gained from the security awareness training to identify and report potential social engineering attacks.
An MSP can deliver security awareness training and phishing simulations using cloud-based training programs designed for deployment by an MSP. Security awareness training solutions, like TitanHQ SAT, use automation to ensure regular training campaigns. Phishing simulations keep learners vigilant with realistic simulated phishing scenarios that reflect hackers' current tactics and are targeted to reflect individuals' behavior, ensuring training is optimized.
Combine the Layers to Future-Proof Protection
Combining anti-spam/phishing prevention and security awareness training to counter sophisticated, multi-stage phishing attacks that leverage social engineering is crucial to implementing a multi-layered security strategy. This approach combines advanced email security with comprehensive user education, enabling organizations to mitigate these evolving threats. Organizations can achieve more robust security outcomes by staying vigilant and adopting strong security layers, regardless of cybercriminals' new tactics.
Get in touch to learn how TitanHQ can help you implement a multi-layered security strategy.
Talk to our Team today
