Beware of Emails Impersonating 'Microsoft Teams' Notifications (forbes.com) 23
Researchers at the email security company Abnormal Security have discovered "a multi-prong Microsoft Teams impersonation attack" involving "convincingly-crafted emails impersonating the automated notification emails from Microsoft Teams," reports Forbes:
The aim, simply to steal employee Microsoft Office 365 login credentials. To date, the researchers report that as many as 50,000 users have been subject to this attack as of May 1.
This is far from your average phishing scam, however, and comes at precisely the right time to fool already stressed and somewhat disoriented workers. Instead of the far more commonly used "sort of look-alike" alerts and notifications employed by less careful cybercriminals, this new campaign is very professional in approach. "The landing pages that host both attacks look identical to the real webpages, and the imagery used is copied from actual notifications and emails from this provider," the researchers said. The attackers are also using newly-registered domains that are designed to fool recipients into thinking the notifications are from an official source...
As far as the credential-stealing payload is concerned, this is delivered in an equally meticulous way. With multiple URL redirects employed by the attackers, concealing the real hosting URLs, and so aiming to bypass email protection systems, the cybercriminals will eventually drive the user to the cloned Microsoft Office 365 login page.
This is far from your average phishing scam, however, and comes at precisely the right time to fool already stressed and somewhat disoriented workers. Instead of the far more commonly used "sort of look-alike" alerts and notifications employed by less careful cybercriminals, this new campaign is very professional in approach. "The landing pages that host both attacks look identical to the real webpages, and the imagery used is copied from actual notifications and emails from this provider," the researchers said. The attackers are also using newly-registered domains that are designed to fool recipients into thinking the notifications are from an official source...
As far as the credential-stealing payload is concerned, this is delivered in an equally meticulous way. With multiple URL redirects employed by the attackers, concealing the real hosting URLs, and so aiming to bypass email protection systems, the cybercriminals will eventually drive the user to the cloned Microsoft Office 365 login page.
TFA for the block! (Score:3)
Seems like everyone should pull their cell phone out and get Two Factor Authorization going. That should save the day in the event of a password compromise.
Re:TFA for the block! (Score:4, Interesting)
Every place I have seen "two factor" what I have actually witnessed is anyone in possession of the persons cell phone has all the authentication needed.
They can reset passwords, including "two factor" service accounts and email.
They receive the text messages with the s3kr1t k0d3z.
Two factor is supposed to be something-you-have plus something-you-know, but the something-you-know always seems to be re-settable with only the something-you-have.
Re: (Score:2)
You're missing something... you're supposed to secure your phone with a separate password. Then, you put your e-mail from a non-Microsoft e-mail server under a different password.
So, to change your password, the hacker needs control of your phone, the password to your phone, and know your e-mail address. Secure enough!
Re: (Score:2)
The way it's set up at my work is the "something-you-have" is just a phone number. I suppose if I had a work assigned phone then I could use that and be subject to however they set those phones up. But instead for the rest of us we're just expected to use our personal phones, and those are setup however the owner sees fit. You can even use a landline and they'll call you with some automated system and read out the pass code to you.
I've been expecting an attack like this, honestly. The number of times I
Re: (Score:2)
No worries, PGP to rescue (Score:5, Insightful)
Since no one uses common sense practices in their email stack*, this is a serious problem and one that companies like Microsoft and Google need to start taking seriously. Email is by far one of the most insecure systems in existence for communication, and yet most of us never give it a thought or wonder if we can do anything to take it's inherit security from a 1 / 10, to 8+ / 10.
Several weeks ago, two employees at our company, a sale person and the owner, noticed they had sent each other emails containing some specifics of a project, which neither of them had sent. They both wondered how this happened, and how they could prevent it from happening in the future, with the solution being simple and clear, start signing and encrypting your messages between each other and to everyone in the company, because if the spammer doesn't have your private key, they won't be able to fake who they are.
This calls into question why companies aren't taking a harder stance on email security? I can count on one hand the companies I deal with who implement PGP security between their service and customer's email. I have lost count as to the number of companies whom I've emailed asking for PGP support, who have rejected the concept for any number of really stupid reasons, and never once bringing a good reason to the table. PGP support should be considered essential and mandatory, and if we all start demanding it, then maybe something will finally happen to get companies to reconsider their security lax'd stances.
Microsoft as a specific example outright rejects PGP because to quote several customer service members from Azure, "We don't do PGP". After explaining how it works and demonstrating it doesn't matter that Exchange supports it or not, they still won't use it, but don't have a reason. Microsoft and companies like it, don't care about your security and will take active steps to ignore and put it at risk.
Re: (Score:1)
Re: (Score:2)
The federated nature of email is both a strength and a weakness in this instance. No one provider (except maybe Gmail?) can fo
Re: (Score:2)
Re: (Score:2)
First rule of notification emails (Score:5, Informative)
Never click on a link in the email. Know where it wants you to go, and type it yourself, or use your own bookmarks.
I hit delete (Score:2)
Why does everyone blindly accept every meeting invite?
Re: (Score:2)
Its not that (meeting/calendar invites). At least, I don't think so. All I use is the web clients from both my Linux desktop and laptop at home, and my Win10 machine at work.
But if you get a chat message in Teams and you aren't online/have teams open/etc. at the time, you'll get an email saying "you had 3 messages in Teams" with some summary, and then a "click here".
AFAIK any Teams meetings are regularly scheduled Outlook meetings that have the option slected for "create matching Teams meeting" or whatever
Re: I hit delete (Score:2)
Sounds exactly like common phishing scam ... (Score:3)
"This is far from your average phishing scam"
This sounds exactly the same and indistinguishable from your average phishing scam. It depends on all the same dumbfucks using all the same dumbfuckery as they always used to fondle anything in with pictures.
Bet you if you turn to HTML shite off it can be identified as a scam in less than a nano-fucking-second!
Re: (Score:2)
And some plain text emails are unreadable. :(
Re: (Score:1)
And some plain text emails are unreadable. :(
Then perhaps then don't deserve to be read.
Re: (Score:2)
I actually hate reading. :( I do love visual stuff!
MSTeams, nothing you wanted, everything you didn't (Score:2)