Beware of Emails Impersonating 'Microsoft Teams' Notifications

Researchers at the email security company Abnormal Security have discovered "a multi-prong Microsoft Teams impersonation attack" involving "convincingly-crafted emails impersonating the automated notification emails from Microsoft Teams," reports Forbes: The aim, simply to steal employee Microsoft Office 365 login credentials. To date, the researchers report that as many as 50,000 users have been subject to this attack as of May 1.

This is far from your average phishing scam, however, and comes at precisely the right time to fool already stressed and somewhat disoriented workers. Instead of the far more commonly used "sort of look-alike" alerts and notifications employed by less careful cybercriminals, this new campaign is very professional in approach. "The landing pages that host both attacks look identical to the real webpages, and the imagery used is copied from actual notifications and emails from this provider," the researchers said. The attackers are also using newly-registered domains that are designed to fool recipients into thinking the notifications are from an official source...

As far as the credential-stealing payload is concerned, this is delivered in an equally meticulous way. With multiple URL redirects employed by the attackers, concealing the real hosting URLs, and so aiming to bypass email protection systems, the cybercriminals will eventually drive the user to the cloned Microsoft Office 365 login page.

TFA for the block!

[The New Guy 2.0]

Seems like everyone should pull their cell phone out and get Two Factor Authorization going. That should save the day in the event of a password compromise.

Re:TFA for the block!

[Rockoon]

Does Microsoft:Office 365 actually implement Two Factor Authentication, or does it implement Two Factor Fauxentication?

Every place I have seen "two factor" what I have actually witnessed is anyone in possession of the persons cell phone has all the authentication needed.

They can reset passwords, including "two factor" service accounts and email.
They receive the text messages with the s3kr1t k0d3z.

Two factor is supposed to be something-you-have plus something-you-know, but the something-you-know always seems to be re-settable with only the something-you-have.

Re:

[The New Guy 2.0]

You're missing something... you're supposed to secure your phone with a separate password. Then, you put your e-mail from a non-Microsoft e-mail server under a different password.

So, to change your password, the hacker needs control of your phone, the password to your phone, and know your e-mail address. Secure enough!

Re:

[toddestan]

The way it's set up at my work is the "something-you-have" is just a phone number. I suppose if I had a work assigned phone then I could use that and be subject to however they set those phones up. But instead for the rest of us we're just expected to use our personal phones, and those are setup however the owner sees fit. You can even use a landline and they'll call you with some automated system and read out the pass code to you.

I've been expecting an attack like this, honestly. The number of times I

Re:

[Riceballsan]

That sounds... still way above most problems. Phishing, keyloggers etc... mean they get access to peoples credentials, typically from a whole other country. Access to my phone... is kind of moot. Beyond needing to log into my phone (something I know). Physical access to the phone, means they've also probably got physical access to the person somewhere he or she feels moderately safe... meaning they are vulnerable to the oldest security danger https://xkcd.com/538/ [xkcd.com]

No worries, PGP to rescue

[Murdoch5]

Since everyone uses digital signatures and encryption in their email stack, this will never succeed, because we'll know X isn't who they claim to be as their signature won't match or won't be present.

Since no one uses common sense practices in their email stack*, this is a serious problem and one that companies like Microsoft and Google need to start taking seriously. Email is by far one of the most insecure systems in existence for communication, and yet most of us never give it a thought or wonder if we can do anything to take it's inherit security from a 1 / 10, to 8+ / 10.

Several weeks ago, two employees at our company, a sale person and the owner, noticed they had sent each other emails containing some specifics of a project, which neither of them had sent. They both wondered how this happened, and how they could prevent it from happening in the future, with the solution being simple and clear, start signing and encrypting your messages between each other and to everyone in the company, because if the spammer doesn't have your private key, they won't be able to fake who they are.

This calls into question why companies aren't taking a harder stance on email security? I can count on one hand the companies I deal with who implement PGP security between their service and customer's email. I have lost count as to the number of companies whom I've emailed asking for PGP support, who have rejected the concept for any number of really stupid reasons, and never once bringing a good reason to the table. PGP support should be considered essential and mandatory, and if we all start demanding it, then maybe something will finally happen to get companies to reconsider their security lax'd stances.

Microsoft as a specific example outright rejects PGP because to quote several customer service members from Azure, "We don't do PGP". After explaining how it works and demonstrating it doesn't matter that Exchange supports it or not, they still won't use it, but don't have a reason. Microsoft and companies like it, don't care about your security and will take active steps to ignore and put it at risk.

Re:

[MatthewSt]

So, let me just check your thinking here. Your solution to people not being savvy enough to check the URL that they're using to log in to, is to have them learn to use PGP as well as still needing to check the URL that they're using to log in to? The emails aren't coming from a microsoft.com domain, which means if you work on the same principle that Let's Encrypt work on (which still relies on having a trusted authority, which PGP doesn't provide out of the box) the email client could show green ticks ever

Re:

[e432776]

Scary problem you describe at your company. I agree with you that email is absolutely not secure and yet we depend on it like it is. However, the existing encryption systems really are not up to the job. There are many accounts online of how it fails, see this for a recent story [cheapskatesguide.org] from someone with significant expertise. "Regular users" have no hope with these systems as they exist.

The federated nature of email is both a strength and a weakness in this instance. No one provider (except maybe Gmail?) can fo

Re:

[Murdoch5]

Fair enough, but at least it's a start. A "normal" user should never have to worry about digital signatures or encryption when it comes to email, it should be managed for them. Take a look at ProtonMail, they do an excellent job of this and it doesn't matter how much experience or knowledge you have surrounding PGP, RSA and etc...

Re:

[stabiesoft]

I'm not quite sure why your mail filtering did not catch this. I know I have filters set up so if the sender is my domain, it has to originate from my server. My mail logs are full of attempts. Given SPF records, it should be relatively easy to filter for many phishing attempts. You still will not catch user@microsof.com if they registered it properly, but you should be able to trap phishes from user@microsoft.com unless it really came from a microsoft validated email server IP.

First rule of notification emails

[Chris Mattern]

Never click on a link in the email. Know where it wants you to go, and type it yourself, or use your own bookmarks.

I hit delete

[Way Smarter Than You]

We don't use MS teams. And if we did, I'd still hit delete. If it doesn't show up on my calendar as coming from someone I work with regarding a meeting I want to be in, delete.

Why does everyone blindly accept every meeting invite?

Re:

[i.r.id10t]

Its not that (meeting/calendar invites). At least, I don't think so. All I use is the web clients from both my Linux desktop and laptop at home, and my Win10 machine at work.

But if you get a chat message in Teams and you aren't online/have teams open/etc. at the time, you'll get an email saying "you had 3 messages in Teams" with some summary, and then a "click here".

AFAIK any Teams meetings are regularly scheduled Outlook meetings that have the option slected for "create matching Teams meeting" or whatever

Re: I hit delete

[Way Smarter Than You]

Oh jesus, that sounds horrible. I'm so glad we don't use Teams now that you've explained how it works. The last thing I need is more email based on chat messages.

Sounds exactly like common phishing scam ...

[Retired ICS]

"This is far from your average phishing scam"

This sounds exactly the same and indistinguishable from your average phishing scam. It depends on all the same dumbfucks using all the same dumbfuckery as they always used to fondle anything in with pictures.

Bet you if you turn to HTML shite off it can be identified as a scam in less than a nano-fucking-second!

Re:

[antdude]

And some plain text emails are unreadable. :(

Re:

[vbdasc]

And some plain text emails are unreadable. :(

Then perhaps then don't deserve to be read.

Re:

[antdude]

I actually hate reading. :( I do love visual stuff!

MSTeams, nothing you wanted, everything you didn't

[damn_registrars]

I had to use MS Teams on my windows 10 laptop for a call with some overseas collaborators recently. It completely shattered my expectations of what a total unmitigated disaster it could be.

• First I clicked the link I was sent for it so I could download it to be on the team. Surprisingly enough the link worked fine from a non-MS browser.
• I entered my email address there to download the application and (supposedly) link me to the team.
• I started the application, where I then had to enter my email address yet