Convincing Office 365 phishing uses fake Microsoft Teams alerts


Level 21
Sep 5, 2017
A highly convincing phishing campaign is using cloned imagery from automated Microsoft Teams notifications in attacks that attempt to harvest Office 365 credentials.

The Microsoft Teams cloud collaboration platform has experienced a huge usage spike since the start of the COVID-19 pandemic, with Microsoft announcing on March 30 that the platform has reached 75 million daily active users (DAUs), with a 70% increase since March 19 when it reported 44 million DAUs.

The phishing emails that spoof Microsoft Teams file share and audio chat notifications have so far landed in the inboxes of 15,000 to 50,0000 targets based on stats from researchers as email security company Abnormal Security.

What makes them even more dangerous than regular phishing messages, is that users are currently used to being flooded with alerts from various online collaboration services used to keep in touch with colleagues, friends, and family members, and makes them prone from ignoring any signals that would otherwise allow them to realize they're being attacked.

Cloning login pages to steal Office 365 accounts
What makes these phishing attacks special is the cloning of Microsoft Teams alerts instead of creating them from scratch using mismatched imagery collected from all over the place and content riddled with typos and grammar mistakes.

"Since the imagery found throughout this attack is actual imagery used by the legitimate provider, the recipient may be more convinced this is a legitimate email," the researchers said. "This holds especially true on mobile where images take up most of the content on the screen."

Some of the phishing emails the researchers were able to collect alert the potential victims of offline audio messages and invite them to listen to them, while others will let them know that their teammates are attempting to reach them using Microsoft Teams.

These last ones will also let the targets know of files shared for their review and will also provide them with links to install the Teams client on iOS and Android devices.

Phishing email samples (Abnormal Security)
As it is, this campaign should be able to bypass some Secure Email Gateways (SEGs) and to convince a lot more targets to visit the phishing landing page instead of sending the email to the Spam folder.

To evade email protection services, the attackers also use several URL redirects with the end goal of hiding the URL used to host the phishing campaign.

In one of the attacks for instance, "the URL redirect is hosted on YouTube, then redirected twice to the final webpage which hosts another Microsoft login phishing credentials site."

In another version of these attacks, the phishing email is sent from a recently registered domain, sharepointonline-irs[.]com, which is not associated with Microsoft or the US Internal Revenue Service (IRS) although it tries to convince the targets of the opposite.

The landing pages also utilize the same graphics displayed on the Microsoft Teams web notifications they mimic, with the end effect of showing the target a perfectly cloned version of the real thing.

Phishing landing page and fake Office 365 login (Abnormal Security)
After jumping through all the hoops, the targets will land on a fake and, again, perfectly cloned Office 365 login form the attackers use for harvesting victims' credentials.

"Should the recipient fall victim to this attack, this user credentials would be compromised," the researchers explain.

"Additionally, since Microsoft Teams is linked to Microsoft Office 365, the attacker may have access to other information available with the user’s Microsoft credentials via single-sign-on."

Microsoft Teams, phishing, and credential theft
The Microsoft Teams client was recently patched to fix a security vulnerability that allowed attackers to take over user accounts by sending them an animated GIF image.

Microsoft's Sway service is also impersonated in a spear-phishing campaign dubbed PerSwaysion to trick potential victims into sending their Office 365 login credentials to multiple threat actors.

To date, the operators behind these attacks have managed to harvest over 20 Office 365 accounts belonging to executives companies in the U.S., Canada, Germany, the U.K., the Netherlands, Hong Kong, and Singapore.


Level 32
Nov 10, 2017
Microsoft Teams has seen a surge in usage owing to the increased need for collaboration services as more and more employees are working from home in the wake of the COVID-19 Coronavirus pandemic. With the increased adoption, the tool has also been receiving multiple improvements to help enhance functionality. While the communication of new features is a given, a new phishing attack that mimics notifications from the Redmond giant is being targeted at Teams users.

The specifics of the attack reported first by Abnormal Security (via WindowsCentral) suggests that the goal is to steal users’ Teams/Office 365 credentials by serving messages that redirect to phishing websites. The report states that the email notifications impersonate automated notification emails from Teams that are convincing enough owing to the content and design. The sender email comes from the “” domain, something that is misleading and one that is not owned by Microsoft.


Level 32
Nov 10, 2017
Microsoft warns that with the shift to remote working, customers are exposed to additional security threats such as consent phishing, besides conventional credential theft and email phishing attacks.

Consent phishing is a variant of application-based attack where the targets are tricked into providing malicious Office 365 OAuth applications (web apps registered by the attackers with an OAuth 2.0 provider) access to their Office 365 accounts.

Once the victims grant the malicious apps permissions to their account data, the threat actors get their hands on access and refresh tokens that allow them to take control of the targets' Microsoft accounts and make API calls on their behalf through the attacker-controlled app.

After the victims' Office 365 accounts get compromised, the attackers can obtain access to their mail, files, contacts, notes, profiles, as well as sensitive information and resources stored on their corporate SharePoint document management/storage system and OneDrive for Business cloud storage space.