Microsoft Teams phishing: Enterprises targeted by ransomware access broker

A threat actor known for providing ransomware gangs with initial access to enterprise systems has been phishing employees via Microsoft Teams.

“For this activity, Storm-0324 most likely relies on a publicly available tool called TeamsPhisher,” Microsoft threat researchers noted.

About Storm-0324

Storm-0324 is a temporary name assigned by Microsoft to this particular threat actor and shows that the company has yet to reach high confidence about the origin or identity of the actor behind the operation.

What they do know is that Storm-0324 has been around for 8+ years, and has previously used exploit kit and email-based vectors to deliver a variety of malware payloads: banking trojans (Gootkit, Dridex), information-stealing malware (IcedID, Gozi), ransomware (Sage, GandCrab), and Trickbot.

Microsoft says that Storm-0324 started using phishing lures sent over Teams with malicious links leading to a malicious SharePoint-hosted file in July 2023 – though they don’t say what malicious payload the file carried.

They also noted that this particular phishing campaign is not related to a similar one mounted by a Russian APT group.

Defend your enterprise against Microsoft Teams phishing and ransomware

“Because Storm-0324 hands off access to other threat actors, identifying and remediating Storm-0324 activity can prevent more dangerous follow-on attacks like ransomware,” the researchers warned, and provided protection advice and hunting queries for enterprise defenders.

Microsoft previously said that the Microsoft Teams vulnerability that allows these attacks “did not meet the bar for immediate servicing.”

But enterprise admins can take steps to minimize this threat, such as making it impossible for external tenants to contact their employees or change the security settings to only allow communication with certain allow-listed domains. (The latter won’t help if an external tenant that’s allowed to reach out has been compromised.)

Microsoft also notes that it has rolled out several improvements to better defend against these threats.

Aside from suspending identified accounts and tenants associated with inauthentic or fraudulent behavior, they have also enhanced the Accept/Block experience in one-on-one chats within Teams, “to emphasize the externality of a user and their email address so Teams users can better exercise caution by not interacting with unknown or malicious senders.”

Also, there are “new restrictions on the creation of domains within tenants and improved notifications to tenant admins when new domains are created within their tenant.”