Microsoft Teams has become a vital communication channel for many organizations. However, it’s only recently that we’ve started to see significant attacks on this platform. In recent months, the Storm-0324 Threat Group has leveraged Teams to deliver phishing and malware campaigns, marking a new frontier in cyber threats. Although Teams has not yet become a primary attack vector, it is gaining traction, and this trend is expected to continue. Hackers are now using traditional Business Email Compromise (BEC) tactics, such as account compromise and spoofed names, on Teams. This evolution is being termed Business Communication Compromise (BCC), the new variant of BEC.
The Evolution of Business Email Compromise
The evolution of BEC can be categorized into four distinct phases:
BEC 1.0: This initial phase involved simple user impersonation, often with the CEO’s identity spoofed using a Gmail address. The attacks typically featured urgent requests, such as purchasing gift cards.
BEC 2.0: The second phase saw attackers compromising partners and sending emails on their behalf, often to change bank account details.
BEC 3.0: The third phase involved using legitimate services to send phishing messages. Popular sites like PayPal and QuickBooks were exploited to deliver these attacks.
BEC 4.0/BCC: Now, in the fourth phase, hackers are utilizing communication platforms like Teams to send phishing messages. This new form of attack represents a significant evolution, leveraging the inherent trust and free flow of information within these platforms.
The Mechanics of BCC Attacks on Teams
BCC attacks often start with an email notification from Teams. These notifications are typical, usually informing the user of a new message with a subject like “[Insert Name] sent you a message.” In a BCC attack, the email might state that “Teams” sent a message, claiming the user has won a new iPhone. The message may appear to come from a legitimate Teams tool, such as Teams Survey, with a legitimate email address (e.g., noreply@email.teams.microsoft.com).
For these attacks to succeed, they often require a compromised user account. Since 2020, compromised Teams accounts, especially from partner organizations, are being used to fool users into sharing insider information. When a Microsoft 365 account is compromised, hackers check if the person has a Teams account, considering it a high-value target due to the extensive information shared within Teams. Attackers use traditional email phishing methods to compromise Microsoft 365 accounts, knowing the same credentials work for Teams.
Silent and Stealthy Attacks
Teams and Slack attacks are designed to avoid detection, exploiting the inherent trust users place in these platforms. Attackers use these internal communication tools as preferred East-West vectors to spread within an organization. Malware or phishing URLs are crafted to bypass built-in protections and tested against Microsoft filters, making these attacks straightforward yet potentially very damaging.
Best Practices: Guidance and Recommendations
To protect against these sophisticated attacks, security professionals should:
Implement Sandbox Protection: Download all files in a sandbox environment to inspect for malicious content before they reach end-users.
Encourage IT Reporting: Educate end-users to promptly report any unfamiliar files or messages to the IT department.
Deploy Comprehensive Security: Use a robust, full-suite security solution that secures all lines of business communication, including Teams. Modernized security tools like Checkpoint Harmony can protect not just your email but also collaboration tools across your Microsoft account, including Microsoft Teams.
By staying informed and adopting these best practices, organizations can better safeguard their communication channels and protect against the emerging threat of Business Communication Compromise on platforms like Microsoft Teams.