🎯Hackers are pretending to be helpdesk workers on Microsoft Teams to trick employees into giving them access to their computers. This lets them steal sensitive information without being noticed.
What Happened
Threat actors are increasingly exploiting Microsoft Teams' external collaboration features to impersonate IT helpdesk personnel. By initiating conversations through cross-tenant chats, they socially engineer employees into granting remote access, often using tools like Quick Assist. This technique allows attackers to blend into normal operations, making their activities harder to detect.
Multi-Stage Attack
Microsoft has identified a nine-stage attack chain that begins with the impersonation of IT staff. Attackers typically claim they need to address an account issue or perform a security update, convincing targets to start a remote support session. Once access is granted, attackers perform reconnaissance using Command Prompt and PowerShell to assess privileges and network reachability. Notably, within 30 to 120 seconds of gaining access, they execute rapid reconnaissance commands to check user privileges and gather host details, facilitating lateral movement across the network.
Advanced Techniques
The attackers employ sophisticated methods such as DLL side-loading, where they exploit the way Windows loads application support libraries. By placing malicious DLLs in the same paths as legitimate applications, they can execute their code without raising alarms. This behavior allows them to blend their malicious activities into routine IT operations, making detection significantly more challenging. Moreover, they utilize tools like Rclone to transfer sensitive data to external cloud storage, focusing on valuable information while minimizing transfer volume to evade detection. Microsoft notes that the HTTPS-based communication to the command-and-control (C2) established through these methods blends into normal outbound traffic, further complicating detection efforts.
Who's Affected
Organizations utilizing Microsoft Teams for collaboration are at risk, particularly those that have not implemented stringent security measures for external communications. Employees who interact with external contacts without proper verification are the most vulnerable.
What Data Was Exposed
The attackers can exfiltrate sensitive business data, including credentials and proprietary information, using tools like Rclone to transfer files to external cloud storage. This targeted exfiltration is often stealthy, focusing on valuable information while minimizing transfer volume to evade detection.
What You Should Do
To mitigate these risks, organizations should:
Do Now
- 1.Treat external Teams contacts as untrusted by default.
- 2.Restrict or closely monitor the use of remote assistance tools.
- 3.Limit Windows Remote Management (WinRM) usage to controlled systems.
- 4.Educate employees about the importance of scrutinizing external communications, especially those requesting remote access.
Do Next
- 5.Implement stronger governance over collaboration environments, ensuring that security measures are in place to monitor and control external interactions.
- 6.Enable Attack Surface Reduction (ASR) rules and Windows Defender Application Control (WDAC) to prevent DLL sideloading from user-writable locations.
- 7.Train employees to identify external tenant indicators in Teams and set up a verbal authentication phrase between helpdesk staff and end users.
Detection Challenges
Due to the reliance on legitimate tools and user-approved actions, detecting these attacks requires a focus on behavioral patterns rather than traditional malware indicators. Security teams should prioritize identifying sequences of activity that include unsolicited external Teams interactions followed by remote support activity and lateral movement.
Recommendations
Microsoft emphasizes the need for integrated visibility across collaboration, identity, and endpoint security. Organizations should enforce conditional access and multi-factor authentication, and improve user awareness regarding legitimate IT support interactions. The use of Teams security warnings should also be highlighted to help users identify potential phishing attempts. Additionally, organizations should restrict Quick Assist and remote management tools to authorized IT roles only, and monitor for Rclone or similar data-sync tools in the environment.
As cyber threats evolve, organizations must enhance their security protocols around collaboration tools like Microsoft Teams to prevent exploitation through social engineering and legitimate applications.
