Security researchers at Proofpoint have discovered several new ways to effectively exploit Microsoft Teams via social engineering.
“[We] A report released today by the company recently analyzed over 450 million malicious sessions targeting Microsoft 365 cloud tenants, detected throughout the second half of 2022.”
“Our findings show that Microsoft Teams is one of the top 10 most targeted sign-in applications, with nearly 40% of targeted organizations making at least one unauthorized login attempt. Attempting access.”
Microsoft 365 Focused Attack Details: “Greatness” Phishing Tool Abuses Microsoft 365 Credentials
The first technique the Proofpoint team observed was to access sensitive information by working with it in a Teams channel or chat using tabs. It renames the tab to make it look like an existing tab and may lead you to a malicious website. This is a common tactic used for credential phishing.
“Following an account compromise, we discovered that tabbing could be part of a powerful and largely automated attack vector,” the report reads.
“Generally, users are free to rename tabs as long as the new name does not conflict with the name of an existing tab. […] Additionally, users are considered restricted from rearranging tabs in a way that places them before the default tabs. ”
Tabs could also be used to instantly download malware, allowing attackers to create custom tabs that automatically download files to users’ devices to deliver malware.
Proofpoint also observed attackers using Teams API calls to manipulate meeting invitations and attempt to replace default links with malicious ones. This could allow users to unknowingly visit phishing pages or download malware.
Finally, we discovered that the attackers used the Teams API or user interface to modify existing links in outgoing messages. In such cases, the displayed hyperlink remains the same, but the underlying URL is changed, directing the user to a malicious website or resource.
“It’s important to note that the aforementioned exploitation methods require existing access to compromised user accounts or Teams tokens,” Proofpoint’s report clarifies.
“Nevertheless, approximately 60% of Microsoft 365 tenants will have suffered at least one account takeover incident in 2022. As a result, the potential prevalence of these techniques has led threat actors to It would provide an effective possibility for lateral movement.”
Editorial image credit: DANIEL CONSTANTE / Shutterstock.com
