Microsoft Teams Impersonation Attacks
I. Targeted Industries
- General Businesses
- Government Agencies
- Financial Institutions
- General Public
- Higher Education
A convincing cyberattack that impersonates notifications from Microsoft Teams to steal Office 365 credentials of employees is making the rounds, according to researchers. These attackers can ultimately access a plethora of information from users’ Microsoft Office 365 accounts since they are linked to their Microsoft Teams account. This news comes at a time when many organizations have recently transitioned from using Zoom to an alternative software, such as Microsoft Teams. Unfortunately, the Cybersecurity and Infrastructure Security Agency (CISA) “continue[s] to see instances where entities are not implementing best security practices regarding their O365 implementation, resulting in increased vulnerability to adversary attacks.” 
III. Background Information
The Microsoft Teams impersonation attacks begin with an email notification that appears to be coming from the collaboration software tool. Once opened, it leads to a landing page that perfectly replicates legitimate notifications because the landing pages contain images copied directly from the Microsoft Teams platform. Additionally, researchers found that attackers are using various URL redirects to conceal the real URL being used for these landing pages. This technique is also used to bypass any detection from tools found in email protection services that detect malicious links.
Researchers found that the techniques being used in recent attacks targeted as many as 50,000 Microsoft Teams users, and were slightly different. In one attack, there is a notification email that seems to contain a link for a document from an established marketing provider. It contains an image insisting users to log into their Microsoft Teams account. Once the image is clicked the link leads to a compromised URL impersonating the Teams login page. In the other attack, observed users are redirected to a URL hosted on YouTube, which then redirects users until the site impersonating the Microsoft Teams credentials page is reached. 
- Enable multi-factor authentication
Multi-factor authentication can help prevent threat actors from gaining access to sensitive information.
- Assign Administrator roles using Role-based Access Control (RBAC)
Always assign administrators the minimum permissions they required to conduct their tasks.
- Enable a Unified Audit Log (UAL)
Enabling UAL allows administrators the ability to investigate and search for actions within O365 that could be potentially malicious or outside of organizational policy.
- Enable alerts for suspicious activity
CISA recommends enabling alerts for logins from suspicious locations and accounts exceeding sent email thresholds.
- Incorporate Microsoft Secure Score
Using Microsoft Secure Score will help provide organizations a centralized dashboard for tracking and prioritizing security and compliance within O365.
Recommended Link: https://www.us-cert.gov/ncas/alerts/aa20-120a
V. Indicators of Compromise (IOCs)
The link below has been included to assist with the download of some identified IOC’s related to this Threat Advisory Report. Be on the lookout for these IOC’s, as well as anything that looks similar.
(1) “Abnormal Attack Stories: Microsoft Teams Impersonation.” Abnormal Security, May 5, 2020. https://abnormalsecurity.com/blog/abnormal-attack-stories-microsoft-teams-impersonation/.
(2) “Alert (AA20-120A).” Cybersecurity and Infrastructure Security Agency CISA, April 29, 2020. https://www.us-cert.gov/ncas/alerts/aa20-120a.
(3) Cahill, Joel. “First Zoom, Now Microsoft Teams.” INFIMA Security Blog. INFIMA Security Blog, May 7, 2020. https://infimasec.com/blog/first-zoom-now-microsoft-teams/?fbclid=IwAR1X4LqXeBE6k6ua9JjIw9JPly3NTKQH59XaEqacpDyiKjlKeI6ljVOPoPg.
(4) Seals, Tara. “Microsoft Teams Impersonation Attacks Flood Inboxes.” Threatpost English Global threatpostcom, May 1, 2020. https://threatpost.com/microsoft-teams-impersonation-attacks/155404/.
(5) Vijayan, Jai. “Fake Microsoft Teams Emails Phish for Credentials.” Dark Reading. Dark Reading, May 1, 2020. https://www.darkreading.com/cloud/fake-microsoft-teams-emails-phish-for-credentials/d/d-id/1337717.