Threat Actors Use Bogus Microsoft Teams Alert to Steal Credentials in Likely AI-Generated Attack
In this likely AI-generated phishing attack, cybercriminals impersonate Microsoft Teams and send the target a fraudulent notification. The email claims the recipient has an urgent message in Teams and prompts them to click the embedded link to view and reply. To increase the appearance of legitimacy, the email body features extensive impersonated Microsoft Teams branding. The threat actors also set the sender display name to “Internal Alerts” and incorporated the phrase “teams-secure” into the sender email. However, should the recipient click the button labeled “REPLY in Teams” they will be redirected to a phishing site designed to steal sensitive information.
Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from an unknown sender, does not include attachments, and contains legitimate links. Modern, AI-powered email security solutions recognize that the sender domain does not match any domains found in body links, detect links to suspicious domains, and flag that the sender domain was recently created to correctly identify the email as an attack.
To avoid falling victim to these scams, recipients should verify unexpected Microsoft Teams invitations by checking their Teams application directly, rather than clicking on email links. Organizations should also educate employees on phishing tactics and implement advanced security solutions to detect and block sophisticated email threats.
Phishing attack disguised as Microsoft Teams notification, with multiple buttons linked to malicious sites to increase opportunities to engage
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Unknown Sender: The email comes from a sender the recipient's email system has not interacted with before. Legacy security tools often struggle to assess the risk of new senders accurately.
- Lack of Attachments: By not including any attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
- Legitimate Links Included: The email includes links associated with recognizable domains, which can pass through basic link verification checks due to its legitimate structure.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Unusual Sending Behavior: The sender domain does not match any of the domains found in the body links, raising suspicion.
- Suspicious Link Analysis: Abnormal's systems scrutinize the presence of links leading to suspicious domains, triggering deeper analysis for possible malicious intent.
- Newly Created Domain: The identification of the newly created domain triggers Abnormal’s systems to scrutinize and flag the email for potential malicious activities, as this tactic is commonly used in phishing attacks.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.