A highly convincing phishing campaign is using cloned imagery from automated Microsoft Teams notifications in attacks that attempt to harvest Office 365 credentials.
The Microsoft Teams cloud collaboration platform has experienced a huge usage spike since the start of the COVID-19 pandemic, with Microsoft announcing on March 30 that the platform has reached 75 million daily active users (DAUs), with a 70% increase since March 19 when it reported 44 million DAUs.
The phishing emails that spoof Microsoft Teams file share and audio chat notifications have so far landed in the inboxes of 15,000 to 50,0000 targets based on stats from researchers as email security company Abnormal Security.
What makes them even more dangerous than regular phishing messages, is that users are currently used to being flooded with alerts from various online collaboration services used to keep in touch with colleagues, friends, and family members, and makes them prone from ignoring any signals that would otherwise allow them to realize they're being attacked.
Cloning login pages to steal Office 365 accounts
What makes these phishing attacks special is the cloning of Microsoft Teams alerts instead of creating them from scratch using mismatched imagery collected from all over the place and content riddled with typos and grammar mistakes.
"Since the imagery found throughout this attack is actual imagery used by the legitimate provider, the recipient may be more convinced this is a legitimate email," the researchers said. "This holds especially true on mobile where images take up most of the content on the screen."
Some of the phishing emails the researchers were able to collect alert the potential victims of offline audio messages and invite them to listen to them, while others will let them know that their teammates are attempting to reach them using Microsoft Teams.
These last ones will also let the targets know of files shared for their review and will also provide them with links to install the Teams client on iOS and Android devices.
Phishing email samples (Abnormal Security)
As it is, this campaign should be able to bypass some Secure Email Gateways (SEGs) and to convince a lot more targets to visit the phishing landing page instead of sending the email to the Spam folder.
To evade email protection services, the attackers also use several URL redirects with the end goal of hiding the URL used to host the phishing campaign.
In one of the attacks for instance, "the URL redirect is hosted on YouTube, then redirected twice to the final webpage which hosts another Microsoft login phishing credentials site."
In another version of these attacks, the phishing email is sent from a recently registered domain, sharepointonline-irs[.]com, which is not associated with Microsoft or the US Internal Revenue Service (IRS) although it tries to convince the targets of the opposite.
The landing pages also utilize the same graphics displayed on the Microsoft Teams web notifications they mimic, with the end effect of showing the target a perfectly cloned version of the real thing.
Phishing landing page and fake Office 365 login (Abnormal Security)
After jumping through all the hoops, the targets will land on a fake and, again, perfectly cloned Office 365 login form the attackers use for harvesting victims' credentials.
"Should the recipient fall victim to this attack, this user credentials would be compromised," the researchers explain.
"Additionally, since Microsoft Teams is linked to Microsoft Office 365, the attacker may have access to other information available with the user’s Microsoft credentials via single-sign-on."
Microsoft Teams, phishing, and credential theft
The Microsoft Teams client was recently patched to fix a security vulnerability that allowed attackers to take over user accounts by sending them an animated GIF image.
Microsoft's Sway service is also impersonated in a spear-phishing campaign dubbed PerSwaysion to trick potential victims into sending their Office 365 login credentials to multiple threat actors.
To date, the operators behind these attacks have managed to harvest over 20 Office 365 accounts belonging to executives companies in the U.S., Canada, Germany, the U.K., the Netherlands, Hong Kong, and Singapore.