Scammers are using Microsoft teams messaging as a new tactic for getting to victims, a new report has revealed.
US cybersecurity firm, Reliaquest, has detailed this latest mode of attack and warns that it observed around 1,000 emails were sent within just 50 minutes to one single user before the scam moved over to Teams.
This latest report on ever-changing modes of attacks comes after Microsoft and OpenAI warned that hackers are also using AI to make their attacks sleeker and less easy to detect.
From Russia with Love
The Reliaquest report details that this new scam is a variation of a tried and tested tactic from the ransomware group ‘Black Basta’ and it is highly confident that this is the group behind the attacks.
The report identifies that most of these threat actors can be identified as originating from Russia, thanks to the time zone information logged by Teams displaying Moscow as the location.
This just in! View
the top business tech deals for 2024 👨💻
The US Cyber Defense Agency said in May that the criminal outfit had impacted 500 companies globally.
How the Microsoft Teams Scam Works
Previously, the group bombarded targets with email spam to prompt them to create a legitimate help-desk ticket to resolve the issue. The victim then received what they thought was a help desk response but when they engaged, it morphed into an attack.
However now the attackers are using Microsoft Teams to reach out to the victim following the flood of emails.
Scammers are using the messaging service instead of email to pose as IT support. They then send links or malicious QR codes for the remote monitoring and management (RMM) tool, AnyDesk. It Pro explains that the “domains linked to the QR codes were often generic but the report noted some were tailored to match the targeted organization, such as ‘companyname.qr–s1[.]com’.”
When a victim responds, they are unknowingly giving access to their environment to the scammers to launch their ransomware attack.
The Reliaquest report also states that it is found adverts on the dark web from Black Basta listing its email spam services asking for fees between from $10 – $500.
How to Protect Yourself From Scammers on Microsoft Teams
Reliaquest says that it is already seeing the hackers adapting their tactics to use Microsoft’s QuickAssist instead of AnyDesk so vigilance is key.
It recommends looking out for the initial emails as they are “typically from automated systems or services that send confirmations or notifications (e.g., noreply@domain[.]com, subscription@domain[.]com, support@domain[.]com, help@domain[.]com, marketing@domain[.]com).”
Aggressive anti-spam policies within email security tools can stop these spam emails reaching your inbox, it says.
But if an email does get through, if organizations have disabled communication from external users within Teams, their employees will remain safe. Reliaquest adds that if communication with external users is necessary, “specific trusted domains can be allow listed”.
It also suggests enabling logging for Teams and searching for rogue accounts. It writes that accounts impersonating IT help desks typically have their names set to “Help Desk.” “This string is often surrounded by whitespace characters, likely to center the name within chats”, it explains. “When searching for these accounts, organizations should search for “contains,” rather than a direct match.”
As always, employee training and vigilance remain key as the attacks unlikely to stop and the tactics will constantly evolve.
