Microsoft Teams has seen rapid adoption in the three years since it was released back in 2016, becoming by some estimates the second most used business collaboration tool after Skype. Unsurprisingly, malicious actors have taken notice.
Over the course of 2019 we have seen a steady increase in the number of malicious emails spoofing Microsoft Teams email alerts and notifications. These phishing emails -- reported to us by customers using the Phish Alert Button (PAB) -- range from low rent trash that bears almost no resemblance to legitimate Teams emails to high-quality spoofs that are well-nigh indistinguishable from the real thing.
The majority of the spoofed Teams emails we've seen are fairly well-executed, and look to have been based directly on actual Teams emails that fished out of the inboxes of compromised accounts at organizations using the Microsoft collaboration tool.
Content and format are nearly perfect in these malicious spoofs, leaving only the link itself to give away the ruse. Note the use of multiple subdomains in the URL above to draw users' eyes to the string "login.microsoftonline.com" which, for many users, will be effective enough to disguise the true destination of that link.
The bad guys behind some of these malicious emails will not hesitate to exploit trusted domains and services from Microsoft's competitors in order to spring a malicious link on unsuspecting users. In this example, the email itself points users to a web page hosted on Google's Appspot cloud platform...
...which turns out to be a slickly designed spoof of Microsoft's own login page.
This kind of disconnect ought to be an easy one to pick up on, but all too many users simply aren't paying attention.
Of course, if you need a truly convincing host for the malicious bits of your spoofed Teams phishing campaign, the obvious first choice is Microsoft's own Azure service.
The link says "windows.net," which is Microsoft. What could possibly be wrong?
All bad guys are not created equal, though. Some appear to have a vague understanding of what Microsoft Teams is and how popular it has become among business organizations -- especially those what have fully embraced Office 365 and its ever-expanding suite of productivity tools. But these bottom-feeders don't necessarily have the knowledge base, motivation, or resources to do a proper spoof of Teams email notifications.
None of that is a barrier to going after Microsoft Teams users, though. Just sprinkle a few references to "teams" throughout the Subject: line and email body, use a trusted email service provider like Sendgrid to blast out your low rent spoofs, and you're in business.
And even laziest of poorly designed phishing campaigns such as the one below can still pull the magic voodoo "Windows.net" trick:
To no one's surprise, though, this one got reported fairly quickly and blocked outright by the browser.
If Microsoft can integrate Teams into its larger suite of productivity tools, who's to say the bad guys can't do the same thing?
In this phish the bad guys simply took a fairly standard Office 365 credentials phish and spruced it up a bit by changing the sender name to "Microsoft Teams."
Coupled with the use of a Microsoft-y looking domain -- "outlooksecure.com" -- in the money link, that just might be enough to persuade a few people in many to organizations to click the link and hand over their credentials to malicious actors.
If you've rolled out Microsoft Teams in your organization, you would do well to wonder just how well your users and employees would handle the kinds of spoofed Microsoft Teams emails that are currently landing in inboxes. Would they bother to check the link? Would they notice that the Microsoft login page sitting in front of them is actually hosted on a Google cloud-based service like Appspot?
Then again, why just wonder?
New-school Security Awareness Training can train your users to be on the alert for those kinds of "tells," then test their reactions to simulated phishing emails based on actual phishes used by real malicious actors in the wild. It's the best means to ensure that the only ones managing your teams are your own people -- not confidence tricksters looking to muscle their way into your organization's network.
For KnowBe4 customers, we have several ready-to-send phishing templates you can use to inoculate your users against attacks like this.