A study by Avanan has found that users tend to trust workplace communication tools such as Microsoft Teams, Slack, and Google Hangouts, even though these platforms are subject to many of the same risks as traditional email. For example, if an attacker phishes a user’s Office 365 credentials, they can then access the user’s Teams account and message the victim’s contacts. Avanan’s CEO Gil Friedrich told SC Media that many organizations have third-party partners tied into their Teams environment, which increases the level of risk.
“[Y]ou should be more careful in those environments with data you share as well as that with the things you download, etc., because you can’t really control the security of your partners,” Friedrich said.
Avanan’s report describes one incident in which an attacker gained access to one employee’s Teams account, then sent a malicious GIF to another employee. When the other employee clicked the GIF, the attacker received their session token, which enabled the attacker to impersonate that employee and gain access to their files. The attacker continued using this technique to impersonate additional users and gain access to more content.
In another instance, a hacker lurked within an organization’s Teams environment for nearly a year before sending a malware-laden file.
“[U]nlike traditional spray-and-pray campaigns we see in compromised email accounts, this hacker acted differently on Teams,” the report says. “For that year, the hacker did not contribute once in the channel. Instead, the hacker listened, collected data and waited for an opportunity. This is a new revelation. In order to evade detection in this new medium, hackers would rather wait for when they can make the biggest impact with the least possible detection. When an opportunity arrived and sharing a file was part of a natural chat conversation, the hacker shared a zip file, which included a version of a malware kit designed for desktop monitoring and configured to install silently upon clicking the file. This Remote Access Trojan would have given the attacker full access to monitor and control the victim’s desktop.”
New-school security awareness training can give your employees a healthy sense of suspicion so they can identify red flags, no matter which online service they’re using.
SC Media has the story.