The Storm-0324 gang is abusing the trust users place in Microsoft Teams.
Phishing via Microsoft Teams facilitates ransomware attacks.
A Microsoft report outlines a criminal access broker that sends phishing lures through Microsoft Teams messages. The threat actor, which Microsoft tracks as “Storm-0324,” distributes a variety of malware strains, but primarily focuses on delivering JSSLoader before handing over access to the Sangria Tempest ransomware actor (also known as “FIN7”).
Business documents as phishbait.
Microsoft explains, “Storm-0324’s email themes typically reference invoices and payments, mimicking services such as DocuSign, Quickbooks, and others. Users are ultimately redirected to a SharePoint-hosted compressed file containing JavaScript that downloads the malicious DLL payload.”
Storm-0324 is financially motivated, straightforwardly criminal, but its attack methods show considerable sophistication. “The actor’s email chains are highly evasive, making use of traffic distribution systems (TDS) like BlackTDS and Keitaro, which provide identification and filtering capabilities to tailor user traffic. This filtering capability allows attackers to evade detection by certain IP ranges that might be security solutions, like malware sandboxes, while also successfully redirecting victims to their malicious download site.”
The risk of too-easily-trusted collaboration tools.
Max Gannon, Senior Cyber Threat Intelligence Analyst at Cofense, believes the report highlights a shift in adversary tactics. “Chat systems such as Slack and Teams need to be acknowledged by organizations as something that pose the same threat level as credential phishing emails,” Gannon wrote in emailed comments. “Any system that can be manipulated to take advantage of a user’s trust can be used as a method of entry. For example, websites can have popup advertisements claiming to have detected malware on the user’s computer and offering remediation which is just a technique used to take advantage of the user's trust in order to install malware. There are a huge number of methods like this that threat actors can use.”
The moral, Gannon thinks, is that complacency with respect to the trustworthiness of any particular source is dangerous. “Treating any one source as being a non-issue or as having a negligible threat level can easily come back to haunt decision-makers. That said, training users in any one platform enables them to apply the same skills and skepticism to any other platform. These incidents really drive home the necessity of organizations using all the tools at their disposal to account for threats they haven’t even yet recognized.”