Microsoft warns that a renowned initial access broker with close links to ransomware groups is targeting organizations with Microsoft Teams phishing attacks.
The financially motivated attacker Storm-0324, DEV-0324, or Sagrid, has worked with FIN7, Maze, REvil, BlackMatter, and DarkSide ransomware-as-a-service (RaaS) operations.
“Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats,” Microsoft wrote in a blog post.
The threat actor leverages payment and invoice lures impersonating DocuSign, Quickbooks, and others to gain access and distribute third-party payloads such as Dridex, Gootkit, Gozi, IcedID, Nymaim, Sage, TrickBot, and JSSLoader.
Microsoft Teams phishing attacks leverage open-source tools and SharePoint
The initial access broker employs a publicly available tool called TeamsPhisher, a Python-based application allowing Teams users to attach files to messages sent to external tenants. The distributed malicious payloads are hosted on SharePoint.
“In July 2023, Storm-0324 began using phishing lures sent over Teams with malicious links leading to a malicious SharePoint-hosted file,” said Microsoft.
The compressed JavaScript file downloads the malicious JSSLoader DLL payload, allowing Sangria Tempest (Carbon Spider, ELBRUS, and FIN7) to perform post-exploitation infection and deploy ransomware. The initial access broker has been providing access to Sangria Tempest since 2019.
Microsoft noted that the initial access broker employs various evasion tactics to avoid detection. They include adding passwords or codes when communicating with the targets to increase credibility and using WSF and Ekipa publisher files exploiting the CVE-2023-21715 vulnerability.
Additionally, the threat actor uses “traffic distribution systems (TDS) like BlackTDS and Keitaro, which provide identification and filtering capabilities to tailor user traffic.”
The tech giant did not disclose the number of Microsoft Teams users targeted by the initial access broker.
However, it clarified that the campaign was unrelated to the May 2023 Midnight Blizzard social engineering campaign. Those phishing attacks were attributed to the Russian state-sponsored threat actor Midnight Blizzard (NOBELIUM) and targeted over 40 organizations globally.
JUMPSEC Labs first highlighted the phishing vulnerability that allows external Microsoft Teams tenants to send links hosted on SharePoint to others outside their organization.
According to JUMPSEC, organizations “inherit Microsoft’s default configuration, which allows users from outside of their organization to reach out to their staff members.”
Additionally, the links that appear as files instead of URLs and inherit the “trust reputation of Sharepoint,” making the recipients more likely to click them.
“Targeted phishing attacks in collaboration tools are becoming more common because the likelihood of success is higher than email phishing attacks,” said Patrick Harr, CEO at SlashNext. “Users are not expecting phishing attacks in Teams or Sharepoint, and these attacks are often too sophisticated for a user to determine the communication is malicious.”
Stopping the initial access broker Storm-0324 prevents ransomware attacks
Redmond suggested that stopping the initial access broker was the first line of defense in preventing more potent attacks such as ransomware.
“Because Storm-0324 hands off access to other threat actors, identifying and remediating Storm-0324 activity can prevent more dangerous follow-on attacks like ransomware.”
The tech giant recommends configuring Microsoft 365 Defender, implementing the principle of least privilege, practising credential hygiene, deploying phish-resistant authentication, and educating employees on phishing attacks.
Microsoft also disclosed that it “rolled out several improvements to better defend against these threats” and suspended identified accounts and tenants involved in inauthentic behaviors.
Similarly, it implemented the “Accept/Block experience in one-on-one chats within Teams,” allowing users to decide if they should interact with accounts involved in the phishing attacks.
The tech giant also rolled out “restrictions on the creation of domains” and improved notifications to alert admins when new accounts are created on their tenants.
Lastly, Microsoft assured its customers it was working diligently to identify and block malicious activity, limiting threat actors’ ability to abuse its platform.