The root of the issue lies in the exploitation of External Access, a feature within Microsoft Teams that enables users to communicate with individuals outside their organisation.
AT&T Cybersecurity has issued a warning about a new cyber threat that has emerged, targeting one of the most widely used collaboration platforms in today’s workplace: Microsoft Teams. This platform, which has become the go-to tool for seamless teamwork and communication, has unfortunately become a prime target for phishing and malware attacks.
The root of the issue lies in the exploitation of External Access, a feature within Microsoft Teams that enables users to communicate with individuals outside their organisation. This seemingly beneficial feature has inadvertently opened a gateway for attackers to infiltrate organisations through unsolicited chats and messages.
A recent incident reported by AT&T’s Managed Detection and Response (MDR) team shed light on the severity of the situation. An external user, not affiliated with the organisation, initiated suspicious Microsoft Teams chats with internal members, setting off alarms within the organisation. Upon further investigation, it was confirmed that these chats were indeed phishing lures, designed to deceive unsuspecting users into divulging sensitive information or clicking on malicious links.
What’s even more concerning is the sophistication of the attack, as uncovered in a blog post published on January 30, 2024, by the MDR team. Analysis of the tactics and indicators of compromise (IOCs) employed by the attacker revealed associations with DarkGate malware, a notorious threat that has plagued both large and small businesses alike.
DarkGate malware first reared its head on December 25th, 2017, initially functioning as a password stealer and cryptocurrency miner. It primarily spread through Torrent files and was identified by enSilo researcher Adi Zeligson, who observed its targeting of Windows workstations.
Fast forward to October 2023, and DarkGate resurfaces, this time with threat actors based in Vietnam. Their latest campaign focused on infiltrating META accounts, particularly in India, the United States, and the United Kingdom.
Fortunately, the timely intervention of AT&T’s MDR SOC team thwarted the attack before any significant damage could occur, highlighting the critical importance of proactive cybersecurity measures in today’s digital landscape.
Key to the investigation was the identification of suspicious activities within the Microsoft Teams environment. Over 1,000 Microsoft Teams events were flagged, indicating the scope and scale of the phishing attempt. By leveraging Microsoft 365 tenant IDs and meticulously tracing chat interactions, the MDR SOC team successfully pinpointed compromised accounts and assets for remediation.
Further examination revealed that some users had unwittingly downloaded double-extension files, a common tactic used by attackers to conceal malicious executables. Armed with this information, the organisation swiftly took action, initiating password resets and isolating infected assets to contain the threat.
As organisations increasingly rely on collaboration platforms like Microsoft Teams for remote work and communication, it is imperative that they remain vigilant against emerging threats. Recommendations from AT&T Cybersecurity include considering the disabling of External Access in Microsoft Teams, unless essential for business operations, and reinforcing user training to recognise and report phishing attempts across all communication channels.
In conclusion, this incident serves as a stark reminder of the ever-evolving nature of cyber threats and the importance of staying one step ahead in the ongoing battle against cyber adversaries.