There are many online chat and video chat services that are being used increasingly during the coronavirus pandemic around the world. One of those is Microsoft Teams, and with the significantly increased use of Teams also comes cybercriminals looking to take advantage of those using the service. A security research firm called Abnormal Security has announced that cybercriminals are using new phishing campaigns targeted at Teams users that are attempting to steal Microsoft account credentials.
Abnormal Security says that it has discovered a series of convincing emails that are designed to spoof notification messages from Microsoft Teams. One of the campaigns the security researchers talk about is a phishing email that includes a link to a document on a domain used by a legitimate email marketing company for hosting content for marketing campaigns. The document that is linked to is an image that prompts users to sign into their Microsoft Teams account.
Anyone clicking on the image is taken to is a malicious page impersonating the Microsoft Office logon page with the intent of capturing the user credentials. Another campaign the security researchers found redirects the user to a page hosted on YouTube. That page is redirected two more times until reaching a fake Microsoft page that is attempting to steal login credentials.
Abnormal Security says that the attackers are using multiple URL redirects to conceal the actual URL, and to evade malicious link filtering used by email security products. The researchers say that the first campaign started on April 14 and lasted two days, but hasn't been seen since. The second campaign began on April 29 and lasted a few hours before disappearing. The fishing campaigns were sent to customers in energy, retail, and hospitality industries but weren't targeted at any specific company or industry. Microsoft recently patched a flaw that could allow for Teams account take over.