Email Spoofing & Microsoft Teams Phishing Scam

The transition to working from home due to Covid-19 has seen a surge in the dependence on cloud-based collaboration platforms. Microsoft reported the number of daily Teams users jumped from 44 million at the end of March to 75 million by the end of April. The increasing reliance on platforms such has teams has made them ideal targets for phishing attacks. This week, two separate phishing attacks have targeted 50,000 Teams users. As well as this, email spoofing has also recently resurfaced, this time taking advantage of people’s increasing dependence on email for communication.

Microsoft Teams Attacks

The phishing campaign against Microsoft Teams users consisted of two attacks. In the first attack, the email contains a link to a document, if the link is clicked the recipient will be presented with a button asking them to log into Microsoft Teams. They are then taken to a spoofed Office 365 login page designed to steal credentials.

In the second attack, the email contains a malicious link which redirects the recipient to several pages (including a YouTube page) before landing on another spoofed Office 365 login page that will also harvest credentials if they’re entered.

This phishing campaign had successfully targeted approximately 50,000 users. The emails impersonated automated notification emails from Microsoft Teams, they also used images and messages from actual Teams notification emails which added to its legitimacy. Read more about how to spot a phishing email or contact your Managed IT Services provider.

Resurgence of Email Spoofing

Late last year, an email spoofing phishing campaign targeting Office 365 users surfaced (read more the Office 365 attack). Essentially, the attackers used a tactic called Account Take Over (ATO) to hijack a user’s Office 365 account. From there, the attacker will send emails containing malicious links and documents to unsuspecting colleagues, family and friends whilst posing as you.

This type of phishing campaign has recently resurfaced as more people are working from home and therefore relying on emails as their main point of communication for work.

Spotting a Compromised Email

Since these emails are seemingly coming from a ‘trusted sender’, they may pass through spam filters. This means you will need to be vigilant when receiving emails, no matter who it’s from.

• Impersonating someone you know – In this type of attack, the hacker benefits from posing as someone you know to gain your trust. These phishing emails could come you’re your colleagues, manager or even your boss. If you receive a suspicious sounding email, it’s best to directly contact that person by phone to confirm its legitimacy, otherwise, contact Milnsbridge IT to inspect the email.
• Weird requests – Is this email asking something you wouldn’t normally be asked for? E.g. passwords, credentials, banking information, invoice payments. If an email is requesting something out of the ordinary, you should check with the sender directly to make sure it’s really from them. Otherwise, contact Milnsbridge IT to inspect the email.
• Suspicious links or attachments – Account Take Over attacks rely on you opening malicious links or documents in the email so that they can compromise your account, too. If an email contains links and or/attachments that seem suspicious you can contact the friendly staff at Milnsbridge IT to inspect the email for you.

Whilst the transition to working remotely has definitely presented its challenges, staying vigilant towards phishing campaigns is imperative. A seemingly legitimate email could potentially be a phishing attack. If you have any doubts about an email you’ve received, it’s best to be proactive and check directly with the sender by phone or contact an IT Company like Milnsbridge Managed IT Services to investigate the email.