Even with email-based phishing attacks proving to be more successful than ever, cyberattackers are ramping up their efforts to target employees on additional platforms, such as Microsoft Teams and Slack.
One advantage is that in those applications, most employees still assume that they’re actually talking to their boss or coworker when they receive a message.
“The scary part is that we trust these programs implicitly — unlike our email inboxes, where we’ve learned to be suspicious of messages where we don’t recognize the sender’s address,” said Armen Najarian, chief identity officer at anti-fraud technology firm Outseer.
Notably, traditional phishing has seen no slowdown: Proofpoint reported that 83% of organizations experienced a successful email-based phishing attack in 2021 — a massive jump from 57% in 2020. And outside of email, SMS attacks (smishing) and voice-based attacks (vishing) both grew in 2021, as well, according to the email security vendor.
However, it appears that attackers now view widely used collaboration platforms, such as Microsoft Teams and Slack, as another growing opportunity for targeting workers, security researchers and executives say. For some threat actors, it’s also a chance to leverage the additional capabilities of collaboration apps as part of the trickery.
Sophisticated Teams attacks
Patrick Harr, CEO of phishing protection vendor SlashNext, told VentureBeat that a highly sophisticated phishing attack recently struck a customer on Microsoft Teams.
It happened, Harr said, while the CEO of the customer company was traveling to China. Posing as the CEO, an attacker sent a WhatsApp message to several of the company’s employees, asking them to join a Teams meeting.
Once in the meeting, the employees saw a video feed of the CEO, which they didn’t realize had been scraped from a past TV interview. As part of the trick, the attackers had added a fake background to the video to make it appear the CEO was in China, Harr said.
But since there was no audio, the “CEO” said that there “must be a bad connection” — and then dropped a SharePoint link into the chat.
Posing as the CEO, the attacker told the employees that “‘since I can’t can’t make this work, send me the information on this SharePoint link,’” Harr said.
An employee did end up clicking on the malicious SharePoint link — but they were blocked from accessing the page.
Ultimately, the incident demonstrates that “these bad actors are nesting themselves in legitimate services,” Harr said. “They’re getting very creative. They’re staying ahead of the curve.”
A big target
Microsoft Teams is massively widespread in the enterprise, with 270 million monthly active users, and that’s led attackers to take notice.
Threat actors have spotted a few of other things about Teams, too: If you can acquire an account’s Microsoft Office 365 password, that can potentially get you into Teams as well. And while more workers may be savvy about email phishing techniques at this point, they’re less likely to be suspicious about a Teams message, according to researchers.
Attackers are seizing the opportunity: In January, email security platform Avanan saw thousands of attacks involving malware dropped into Teams conversations, researchers at the Check Point-owned organization reported.
By attaching a malicious executable file in a Microsoft Teams conversation, “hackers have found a new way to easily target millions of users,” the Avanan researchers wrote in a blog post. When clicked, the .exe file installs a Trojan on a user’s Windows PC, and the Trojan then installs malware.
The attacks are having success because with Microsoft Teams, unlike with email, “end-users have an inherent trust of the platform,” the researchers wrote.
Ultimately, the incidents reported by Avanan show that “hackers are beginning to understand and better utilize Teams as a potential attack vector,” the researchers said.
In other words, as they are known to do, cyberattackers are evolving once again.
‘The new BEC’
Referring to the Microsoft Teams attacks cited by Avanan, “this is the new business email compromise / legitimate service abuse,” said Sean Gallagher, a senior threat researcher at Sophos Labs, in a tweet. “It follows the trend we’ve seen with Slack and Discord.”
Business email compromise (BEC) describes a type of phishing attack in which an attacker targets a certain individual in a company, and attempts to persuade the individual to perform a wire transfer of funds to their account.
BEC attacks “are not losing their effectiveness,” Gallagher said in an email to VentureBeat. Indeed, 77% of organizations faced business email compromise attacks last year, up from 65% in 2020, according to Proofpoint data.
But with the arrival of BEC-like attacks on collaboration platforms such as Microsoft Teams, “malicious actors are expanding their attack surface and finding new ways to get a foothold into organizations,” Gallagher said.
“As more businesses move toward the cloud and software-as-a-service [SaaS] models, legitimate hosted services – like Microsoft Teams and Slack – will be an attractive avenue for attackers,” Gallagher said.
Najarian agreed that BEC attacks “are still very effective for criminal hacker groups.”
“But expanding their tactics into Microsoft Teams, Slack, Discord and other chat apps presents another revenue driver for them,” Najarian said in an email.
Notably, the types of Microsoft Teams attacks reported by SlashNext and Avanan involve a combination of social engineering and credential harvesting.
“If malicious actors secure credentials and can access a Microsoft 365 environment in the cloud, they can act as a trusted team member,” Gallagher said. “As such, victims assume the files and links shared in the legitimate service are trusted, since they do not display the tell-tale signs of a malicious URL once uploaded or shared in the trusted environment.”
Adversaries can “get into all sorts of places in the enterprise that they otherwise wouldn’t be able to access without compromising the network,” he said.
All in all, legitimate service abuse is an emerging vector for malicious actors to target the enterprise, he said — and it will only continue to grow “as the enterprise becomes more detached from traditional infrastructure.”