A large-scale phishing campaign is being conducted that spoofs Microsoft Teams in an attempt to get users to part with their Microsoft Office 365 credentials. Abnormal Security reports that up to 50,000 mailboxes have been targeted in the campaign so far.
The emails appear to be automatic notifications from Microsoft with “There’s new activity in Teams” as the display name. The subject line indicates messages have been sent in Teams and a response is required.
The emails indicate that the user’s teammates are trying to get in touch on Teams and the user is required to reply promptly. A link is included for the user to click to “Reply in Teams.”
The emails have a realistic looking footer that provides links for the user to click to install Microsoft Teams on iOS or Android. The three hyperlinks in the email direct the user to a webpage that displays the Microsoft Office 365 login prompt. The webpage is identical to the genuine login page for Microsoft Office 365, aside from the domain.
The URL starts with microsftteams to make it appear that the website is a genuine Microsoft domain. If credentials are entered, they are captured by the scammers.
Microsoft Teams has proven to be a popular communication tool during the COVID-19 pandemic and is used by many remote workers to collaborate and maintain contact with the office. Previous phishing campaigns have also been identified that spoof Microsoft Teams and seek Office 365 credentials.
Office 365 credentials are valuable to hackers. They can be used to gain access to accounts that contain sensitive data, and hacked email accounts can be used to conduct further phishing attacks on the organization and its vendors. Many large-scale data breaches and ransomware attacks have started with a response to a phishing email and the disclosure of Office 365 credentials.