Microsoft warns of a new phishing campaign targeting businesses via Teams messages

Microsoft is warning of a new phishing campaign being undertaken by an initial access broker that involves using Teams messages as bait to infiltrate corporate networks. The tech giant's Threat Intelligence team is monitoring the cluster under the name Storm-0324, also known by the names TA543 and Sagrid. “As of July 2023, Storm-0324 has been observed delivering payloads using an open source tool to send phishing lures via Microsoft Teams chat,” the company said, adding that this marks a shift from the use of Initial email-based infection. Storm-0324 operates in the cyber criminal economy as a payload distributor, offering a service that allows the propagation of various payloads using evasive infection chains, including downloaders, banking trojans, ransomware and modular toolkits such as Nymaim, Gozi, TrickBot, IcedID, Gootkit, Dridex, Sage, GandCrab and JSSLoader.

Phishing campaign

The actor's attack sequences in the past have used emails with fake invoice and payment themes to trick users into downloading ZIP files hosted on SharePoint that deliver JSSLoader, a malware loader capable of profiling infected machines and load additional payloads. “The actor's email is highly evasive, using traffic distribution systems (TDS) such as BlackTDS and Keitaro, which provide identification and filtering capabilities to tailor user traffic,” Microsoft said. “This filtering capability allows attackers to evade detection by certain IP address ranges that could be security solutions, such as malware sandboxes, while successfully redirecting victims to their malicious download site.”

Security updates

The access gained by the malware paves the way for ransomware-as-a-service (RaaS) actor Sangria Tempest (also known as Carbon Spider, ELBRUS, and FIN7) to conduct post-exploitation actions and install file-encrypting malware . The modus operandi received a revamp in July 2023, where phishing lures are sent via Teams with malicious links leading to a malicious ZIP file hosted on SharePoint. This is achieved by leveraging an open source tool called TeamsPhisher, which allows users in the Teams tenant to attach files to messages sent to external tenants taking advantage of an issue first highlighted by JUMPSEC in June 2023.

Microsoft interventions

The company said it has made several security improvements to combat the threat and has "suspended identified accounts and tenants associated with inauthentic or fraudulent behavior." “Because Storm-0324 transfers access to other threat actors, identifying and remediating Storm-0324 activity can prevent more dangerous subsequent attacks such as ransomware,” Microsoft further emphasized.