Latest Microsoft Teams Phishing Scam and Emotet Trojan Campaigns

Researchers at Abnormal Security detected a new Office 365 phishing campaign that spoofs Microsoft Teams to mislead users into visiting a malicious website with a phishing form that gets Office 365 login information.

Many organizations have adopted Microsoft Teams to enable remote employees to retain contact with the business office. In healthcare, the system is being utilized to give telehealth services to lessen the number of patients going to medical care facilities to regulate the dispersal of COVID-19.

Microsoft noted for the quarter ending June 30, 2020 that more than 150 million students and teachers are now using Microsoft Teams. Over 1,800 various companies have over 10,000 Teams users, and 69 companies have more than 100,000 Teams users. The healthcare industry also has a growing Microsoft Teams user, with 46 million Teams meetings now being done for telehealth reasons. The expanding usage is due to the pandemic, which gives an opportunity for cyber hackers.

Based on figures from Abnormal Security, the most recent campaign was the phony Microsoft Teams emails delivered to around 50,000 Office 365 users to date. The messages seem like they were sent from a user using the display name “There’s new activity in Teams,” thus the messages look like automated notices from Teams.

The messages tell users to sign into Teams as the community is attempting to communicate. The email messages have a button to click to sign in to Teams that displays a phrase – “Reply in Teams.” The notices consist of a genuine-looking footer that has the Microsoft brand and selections to install Microsoft Teams on Android and iOS.

The URL in the message brings the user to a Microsoft login page which is a clone of the official sign-in prompt, aside from the domain on which the page is visible. That domain begins with “microsftteams” to make it look genuine.

The campaign is an example of the many campaigns targeting Office 365 credentials. There are many campaigns aimed towards video conferencing platforms as they increase in popularity during the pandemic.

Emotet Trojan Campaign Employs Phony Microsoft Word Upgrade Notices

The Emotet Trojan is being distributed in a new campaign that utilizes bogus Microsoft Word upgrade announcements as a lure to let users install the malware. Emotet is the most extensively propagated malware presently in use. When an end user’s device is infected with the malware, it is added to a botnet that is employed to infect other gadgets. Emotet is likewise a malware downloader and is utilized to install information stealers like TrickBot and QBot malware, which are employed to transmit ransomware variants like ProLock, Ryuk, and Conti.

The messages look like Microsoft Office announcements that tell the user that they must execute an upgrade of Microsoft Word to include new functions. The messages have a Microsoft Word file and the end-user is advised to Enable Editing and then Enable Content. Doing so will start a malicious macro that will install Emotet onto the end user’s device.

Users must be careful and avert clicking URLs or opening doc attachments in unsolicited messages. Emotet uses the user’s email account to mail other phishing emails, even to those included in a user’s contact list.