CyberheistNews Vol 9 #46 [Heads-Up] Malicious Actors Want to Join Your Team!

CyberheistNews Vol 9 #46
[Heads-Up] Malicious Actors Want to Join Your Team!

Microsoft Teams has seen rapid adoption in the three years since it was released back in 2016, becoming by some estimates the second-most used business collaboration tool after Skype. Unsurprisingly, malicious actors have taken notice.

Over the course of 2019 we have seen a steady increase in the number of malicious emails spoofing Microsoft Teams email alerts and notifications. These phishing emails—reported to us by customers using the Phish Alert Button (PAB)—range from low rent trash that bears almost no resemblance to legitimate Teams emails to high-quality spoofs that are well-nigh indistinguishable from the real thing.

The Good

The majority of the spoofed Teams emails we've seen are fairly well-executed, and look to have been based directly on actual Teams emails that were fished out of the inboxes of compromised accounts at organizations using the Microsoft collaboration tool.

Content and format are nearly perfect in these malicious spoofs, leaving only the link itself to give away the ruse. Note the use of multiple subdomains in the URL above to draw users' eyes to the string "" which, for many users, will be effective enough to disguise the true destination of that link. Screenshot examples at the blog.

The Bad

All bad guys are not created equal, though. Some appear to have a vague understanding of what Microsoft Teams is and how popular it has become among business organizations -- especially those what have fully embraced Office 365 and its ever-expanding suite of productivity tools. But these bottom-feeders don't necessarily have the knowledge base, motivation, or resources to do a proper spoof of Teams email notifications.

None of that is a barrier to going after Microsoft Teams users, though. Just sprinkle a few references to "teams" throughout the Subject: line and email body, use a trusted email service provider like Sendgrid to blast out your low rent spoofs, and you're in business. Screenshot examples at the blog.

The Ambitious

If Microsoft can integrate Teams into its larger suite of productivity tools, who's to say the bad guys can't do the same thing? In this phish the bad guys simply took a fairly standard Office 365 credentials phish and spruced it up a bit by changing the sender name to "Microsoft Teams."

Coupled with the use of a Microsoft-y looking domain—"outlooksecure (dot) com"—in the money link, that just might be enough to persuade a few people in many to organizations to click the link and hand over their credentials to malicious actors. Screenshot example at the blog.


If you've rolled out Microsoft Teams in your organization, you would do well to wonder just how well your users and employees would handle the kinds of spoofed Microsoft Teams emails that are currently landing in inboxes. Would they bother to check the link? Would they notice that the Microsoft login page sitting in front of them is actually hosted on a Google cloud-based service like Appspot?

Then again, why just wonder?

New-school security awareness training can train your users to be on the alert for those kinds of "tells," then test their reactions to simulated phishing emails based on actual phishes used by real malicious actors in the wild.

It's the best means to ensure that the only ones managing your teams are your own people -- not confidence tricksters looking to muscle their way into your organization's network. Example screenshots here that you can use for phishing templates to send to your users:

For KnowBe4 customers, we have several ready-to-send phishing templates you can use to inoculate your users against attacks like this.
[Live Demo] Identify and Respond to Email Threats Faster with PhishER

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!

With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you handle the real phishing attacks and email threats —and just as importantly— effectively manage the other 90% of user-reported messages accurately and efficiently?

Now you can with PhishER, a product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us Wednesday, November 20 @ 2:00 pm (ET) for a live 30-minute demo of the PhishER platform. With PhishER you can:
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Augment your analysis and prioritization of user-reported messages with PhishML, PhishER’s new machine-learning module
  • See clusters of messages to identify a potential phishing attack against your organization
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: Wednesday, November 20 @ 2:00 (ET)

Save My Spot!
The Three Reasons Why Replying to Phishing Attacks Is a Really Bad Idea

PhishLabs warns that replying to a phishing email, even if you know it’s a scam, can lead to further attacks. Most phishing campaigns are automated and replying to them puts you on a scammer’s radar. PhishLabs stresses that these people are criminals, and that they can be vindictive or even dangerous. There are several operational security-related reasons why replying to these emails is a bad idea.

First, replying to a phishing email provides the scammer with a copy of your company’s email signature, which might include phone numbers and other information. This signature could enable them to craft more convincing spear phishing templates, as well as giving them more potential targets.

Second, replying to an email notifies the scammer that your email address is active. This makes you a high priority for additional attacks. Scammers can also sell your email to other attackers.

Finally, your email headers can provide the attackers with your location data, which can help them figure out your physical location.

The best course of action is to report these emails to your IT department using the Phish Alert Button, or simply delete them. There are many amusing stories about people wasting scammers’ time, but unless you know what you’re doing and you have precautions in place, you could be putting yourself or your organization in danger.

We appreciate the amusing stories, but better to be safe than funny. New-school security awareness training can teach your employees how to identify and deal with phishing attacks. PhishLabs has the story:

And here is the download for the free Phish Alert Button:
[NEW WEBINAR] Third-Party Phishing: The New Spear-Phishing Attacks That Traditional Defenses Just Don’t Stop

Joe in accounting is pretty cyber-savvy. He doesn’t fall for basic phishing emails with masked URLs or phony password reset requests. But what happens when Joe gets an email from a trusted third-party vendor disputing a recent payment and demanding action? If that third-party vendor has been compromised it could very well be the bad guys sending Joe a spear-phishing attack from the vendor’s domain. And if it is, you could be in trouble. Big trouble...

Because third-party phishing attacks look like legitimate emails from your vendors’ domains, traditional defenses often don't work against them or they are severely weakened. Your only defense is a strong human firewall. Find out how third-party phishing attacks operate, how you can spot them, and learn what defenses do and don't work against them.

Join Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, to see:
  • Real-world examples of third-party phishing schemes
  • Hacking techniques that make these targeted attacks even more dangerous
  • How to protect your network against these aggressive schemes
  • What to teach your end users so they can identify a third-party attack
Date/Time: Thursday, November 21st @ 2:00 PM (ET)

Save My Spot!
Specially Crafted ZIP Files Used to Bypass Secure Email Gateways

Attackers are always looking for new tricks to distribute malware without them being detected by antivirus scanners and secure email gateways. This was illustrated in a new phishing campaign that utilized a specially crafted ZIP file that was designed to bypass secure email gateways to distribute the NanoCore RAT.

Every ZIP archive contains a special structure that contains the compressed data and information about the compressed files. Each ZIP archive also contains a single "End of Central Directory” (EOCD) record, which is used to indicate the end of the archive structure.

In a new spam campaign discovered by TrustWave, researchers encountered a spam email pretending to be shipping information from an Export Operation Specialist of USCO Logistics. Continued at Bleepingcomputer:
Will You Get Spoofed Over the Holidays? Find out for a Chance to Win!

Are you aware that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain?

Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against unless your users are highly ‘security awareness’ trained.

KnowBe4 can help you find out if this is the case with our free Domain Spoof Test. Plus, if you’re in the US or Canada, you'll be entered for a chance to win a $500 Amazon Gift Card (just in time for the holidays)

Find out now if your email server is configured correctly, many are not...

Try to Spoof Me!

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: We have a brand-new Assessments Feature that allows you to gauge your users' security proficiency and also their attitude related to your security culture. These surveys are super simple to deploy and give you fascinating data. Try them out! More here:

PPS: Check out the new articles and updates from the KnowBe4 Technical Content Team. Tons of good stuff here:
Quotes of the Week
"I would rather belong to a poor nation that was free than to a rich nation that had ceased to be in love with liberty." - Woodrow Wilson, US President (1856 - 1924)

"You will never reach your destination if you stop and throw stones at every dog that barks."
- Winston Churchill, UK Statesman (1874 - 1965)

Thanks for reading CyberheistNews
Security News
You Need to Start Thinking Differently About This Whole "Insider Threat" Concept

In order to defend against insider threats, you need an accurate picture of the problem. The CyberWire’s Carole Theriault spoke to a number of industry experts about insider threats and found that the issue is more complex than it appears on the surface.

Dr. Richard Ford, Chief Scientist at Forcepoint, said that even the term “insider threat” gives a false impression of the problem by making us think solely of malicious actors.

“Most insider threats are perfectly well-meaning employees that end up doing something foolish, or getting convinced to do something foolish, that compromises your data or your security in some way,” Ford said. “So, to me, an insider threat is the threats that emanate from within, but it doesn’t necessarily mean they’re malicious....In fact, what you find is a lot of accidental insiders who you can help along to not being accidental insiders.”

Likewise, “MC,” the VP of Product at ObserveIT, separated insider threats into three categories. “The first one is just users like you and me, who come to work with a good intent, hard-working, go back to home, family, friends,” MC said. “But at some point, we may do some negligent things.

For example, taking a printout so you can read it on the train ride home, or taking home sensitive files so you can work over the weekend….The second category is where rogue insiders, more within the mix of having a bad intent, for whatever reason – maybe financial, maybe ideological, maybe some kind of bad performance review, some kind of a personal stress issue – ends up stealing something that they shouldn’t….

And then there is a third category that people don’t think about, which is people falling victim to a phishing email coming from outside and they end up compromising their credentials.”

Dr. Ford added that some threats are purely malicious, and rooting them out helps protect all the other employees. In order to do this, organizations need to change the way they think about insider threats. Continued at the KnowBe4 Blog:
Here Is a New Term for Your Cybercrime Glossary: Vendor Email Compromise (VEC)

Agari’s latest Email Fraud & Identity Deception Trends report highlights the growing threat of vendor email compromise (VEC), according to SecurityWeek. This is a variety of business email compromise (BEC) attack—also known as CEO fraud— in which attackers gain access to email accounts at a company in the supply chain, and then use the accounts to target that company’s customers. P.S. Did you know that KnowBe4 has an extensive glossary with hundreds of these terms?

The attacks involve a reconnaissance phase in which the scammers quietly observe a company’s payment routines and identify a lucrative contract to target. Eventually, they’ll craft emails that perfectly imitate the real emails they’ve seen the company’s employees sending to their customers. The attackers will then send these emails from the hacked email account to request payment from the target company. These invoices are for the correct amount of money and appear identical to the real invoices, but they direct the money to the attacker’s bank account.

Armen Najarian, Agari's chief identity officer, told SecurityWeek that VEC attackers usually go after companies that have expensive contracts. “Generally, these sophisticated attackers are looking for deep pocket, big contract scenarios – think of the supply of a major part of a component for an aircraft manufacturing process that is potentially hundreds of thousands of dollars,” Najarian said.

While VEC scams use the same tactics as other BEC attacks, they are much more lucrative. Najarian said attackers have already realized this, and Agari expects vendor-focused attacks to surpass other BEC attacks next year. Continued at the KnowBe4 blog:
Phishing Kits Hosted on More Than Six Thousand Domains

Akamai’s 2019 State of the Internet / Security Report found that 6,035 domains were being used to host 120 different phishing kits, according to BleepingComputer. The phishing kits impersonated more than sixty well-known brands, with Microsoft, PayPal, DHL, Dropbox, DocuSign, and LinkedIn leading the pack.

The high-technology sector was targeted the most, followed by financial and e-commerce services. In total, Akamai’s researchers observed 2,064,053,300 unique domains associated with malicious activity over the course of sixty days.

The vast majority of these were linked to botnet traffic and shut down within a day, with less than four percent staying up longer than three days. More than sixty percent of the domains hosting phishing kits were shuttered within twenty days, driving criminals to regularly update their kits and evolve their tactics.

Martin McKeay, Editorial Director of the State of the Internet/Security report for Akamai, stressed in a press release that phishing isn’t going away, and organizations need to prepare their employees for these attacks now.

“Phishing is a long-term problem that we expect will have adversaries continuously going after consumers and businesses alike until personalized awareness training programs and layered defense techniques are put in place,” McKeay said.

Phishing attacks are always changing to stay ahead of new technologies. Story:
What KnowBe4 Customers Say

"I want to share that just in the last week, the KB4 training has finally paid off. Someone hacked a prominent C level persons’ email account and tried phishing a number of internal and external users. Our users reported within just moments of the irregularity and this helped IT respond to the issue extremely quickly before any real damage was done."
- G.E., Senior IT Director

"Hi Stu! Camp KnowBe4 has been very good to us :-) We were with [REDACTED] before and the difference is actually pretty surprising... you have a better product (we are now fully AD automated so provisioning is a breeze, and automated training assignment + phishing is awesome). With [REDACTED] we were paying extra for a very underwhelming managed service, and with Jennifer, our success manager, she has been more attentive than [REDACTED] ever was (and it's built into the cost).

I like it so much I recommended it our head office, not sure where they are in their onboarding, but I'm sure they too will be happy campers. Keep doing what you do :-). Thanks!
- E.M., Manager, Systems Infrastructure and Facilities
The 10 11 Interesting News Items This Week
    1. The financial industry just finished its annual ‘doomsday’ ransomware cybersecurity exercise — here’s what they imagined would happen. Yikes:

    2. This woman who delivered flowers to your office was a hacker. Did you let her in?:

    3. Europol: Spear Phishing Is the Most Prevalent Cyber Threat Affecting Orgs Across the EU:

    4. Tipped off by an NSA breach, researchers discover a whole new APT hacking group:

    5. It's that time again. Malware authors using politics as a lure to trick users into clicking:

    6. This is the impact of a data breach on enterprise share prices:

    7. Microsoft crams Office 365 docs into Edge-style sandboxes to thwart malware infections:

    8. IBM social engineer easily hacked two journalists' information:

    9. Moscow Works Really Hard to Shield Russian Hackers Against Extradition:

    10. Ransomware Attacks Hit Everis and Spain's Largest Radio Network:

    11. BONUS: Who's Being Phished" Episode 2:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews