Security researchers have warned Microsoft Teams users of new email scams which attempt to steal the login details for their accounts.
Abnormal Security identified two types of phishing attacks that direct email recipients to fake Teams login pages in order to harvest their credentials.
As remote working has surged during the coronavirus pandemic, professional collaboration software such as Microsoft Teams has seen a drastic rise in usage.
It appears that malicious actors have taken note of this increase, with between 15,000 and 50,000 mailboxes receiving the scam emails identified by Abnormal Security.
Tricking recipients and malicious detection
The researchers explained that the hackers craft a convincing email which pretends to be from Microsoft Teams in order to initiate the attack.
“In one of the attacks, the sender email originates from a recently registered domain, ‘sharepointonline-irs.com’, which is not associated to either Microsoft or the IRS,” the report noted.
The attackers employ multiple URL redirects in order to hide the real URL from malicious link detection in email software.
In the first attack, the email contains a link to a document on a domain used by an established email marketing provider to host static material used for campaigns.
This document contains a URL-embedded image that urges the recipient to log into their Teams account. If a user clicks on this image, they are redirected to a cloned Microsoft Teams login page.
The second attack redirects the user to a link hosted on YouTube, which then uses two other URL redirects to send victims to a fake login page.
The researchers noted that the landing pages for both attacks look visually identical to the real web page and use images copied from actual notifications and emails from Microsoft Teams.
“Recipients would be hard-pressed to understand that these sites were set up to misdirect and deceive them to steal their credentials,” the report stated.
Avoid becoming a victim
Users who fall victim to the phishing attacks will have their credentials compromised, allowing attackers to gain access to files and information stored on their account, which could include sensitive company information.
Microsoft Teams users are encouraged to check that the URL of the login page matches https://login.microsoftonline.com to ensure that they are using the correct portal.
It is advisable not to click on any link in emails claiming to be from official sources without properly perusing the sender’s details.