When it comes to doing business from home, apart from Telegram which is planning to move into the video chat space, the most immediate threat to the sector dominance of Zoom is Microsoft Teams. This should come as no great surprise as the number of daily active users on Microsoft’s service leapt from 44-million to 75-million across just two weeks at the end of March.
However, as with Zoom, mass popularity also means vulnerability exploits and hacks. Now a new report via Forbes reveals how security researchers have observed thousands of cloned Microsoft Teams login pages being used in an attempt to harvest account passwords.
Cybercriminals Jump from Zoom to Microsoft Teams
Zoom’s explosion in popularity came exactly in the wake of the worsening of the world-wide pandemic, but with its massive surge in users likewise came a huge surge in security and privacy issues that plague the service to this day. With many huge companies and educational institutes outright banning the use of Zoom, thousands are flocking to Teams.
This doesn’t necessarily mean that users are off the cyber-hook when it comes to being attack targets. Hot on the heels of a report on how Microsoft Teams users were vulnerable to a malicious GIF that could have stolen account data, comes this news of another security threat to those looking for an alternative to Zoom.
Researchers from Abnormal Security reveals a multi-prong Microsoft Teams impersonation attack. The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert dated 29 April, warning of just such attack methodology uptick given the speed of deployment as organizations migrate to Microsoft 365 during the COVID-19 lockdown.
What Abnormal Security observed were convincingly-crafted emails impersonating the automated notification emails from Microsoft Teams. The aim, simply to steal employee Microsoft 365 login credentials.
50,000 Microsoft Teams Users Already Targeted
To date, the researchers report that as many as 50,000 users have been subject to this attack as of 1 May. This is far from your average phishing scam, however, and comes at precisely the right time to fool already stressed and somewhat disoriented workers. This new phishing campaign is designed to look professional and trick as many people as possible.
“The landing pages that host both attacks look identical to the real webpages, and the imagery used is copied from actual notifications and emails from this provider,” the researchers say.
The attackers are also using newly-registered domains that are designed to fool recipients into thinking the notifications are from an official source.
As far as credential-stealing is concerned, the payload is delivered in an equally malicious way. With multiple URL redirects employed by the attackers, concealing the real hosting URLs, and so aiming to bypass email protection systems, the cybercriminals will eventually drive the user to the cloned Microsoft Office 365 login page.
There, the user will input their email and password and have their credentials stolen, being none the wiser.
“Recipients would be hard-pressed to understand that these sites were set up to misdirect and deceive them to steal their credentials,” Abnormal Security says, “given the current situation, people have become accustomed to notifications and invitations from collaboration software providers.”
Edited by Luis Monzon
Follow Luis Monzon on Twitter
Follow IT News Africa on Twitter