Phishing Attack Mimics Microsoft Teams Alert to Steal Sensitive Information
In this phishing attack, cybercriminals pose as an internal notification system and send targets a fake Microsoft Teams alert. After setting the display name to “TEAMS DIGEST”, the threat actor emails the targets claiming they have received an encrypted message on Microsoft Teams. The recipient is instructed to use the embedded link to access the message. However, should they click on the button labeled “Go On Teams”, they will be redirected to a malicious page designed to steal sensitive information, such as login credentials. By mimicking the format and tone of legitimate Microsoft Teams notifications, the attacker creates a false sense of urgency and trust, increasing the likelihood that the recipient will click the link without verifying its authenticity.
Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a spoofed address, uses legitimate links in the message, and contains no attachments. Modern AI-powered email security solutions detect links to suspicious domains, flag that the message is coming from an unknown sender, and recognize that the sending domain does not match any of the links provided within the message to correctly identify the email as an attack.
To avoid falling victim to such scams, users should verify unusual notifications directly within Microsoft Teams or through official company channels rather than clicking on unsolicited email links. Organizations can further reduce risk by educating employees about phishing tactics and deploying advanced email security solutions capable of detecting these increasingly sophisticated attacks.
Phishing attack claiming to be notification of incoming message on Microsoft Teams
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The attacker spoofs a legitimate-sounding email address, bypassing basic email verification checks and adding perceived authenticity.
- Legitimate Links Included: The email includes links associated with recognizable domains, which can pass through basic link verification checks due to their legitimate structure.
- Lack of Attachments: By not including any attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Suspicious Link Analysis: Abnormal's systems scrutinize the presence of links leading to suspicious domains, triggering deeper analysis for possible malicious intent.
- Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established sender-recipient interaction patterns.
- Unusual Sending Behavior: The sender domain does not match any of the domains found in the body links, raising suspicion.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.