CP
cyberpings
Threat IntelHIGH

Microsoft Teams Phishing Campaigns - Rapid7 Guidance Alert

R7Rapid7 Blog
Microsoft Teamsphishingremote accessQuick Assistsocial engineering
🎯

Basically, hackers are pretending to be IT support on Teams to trick users into giving them access to their computers.

Quick Summary

Rapid7 has identified a rise in phishing campaigns using Microsoft Teams. Threat actors impersonate IT departments to trick users into granting remote access. This poses a serious risk to organizational security.

What Happened

The Rapid7 Managed Detection and Response (MDR) team has identified a concerning trend in phishing campaigns. These campaigns involve threat actors impersonating internal IT departments through Microsoft Teams. Their goal is to convince users to launch Quick Assist, which grants them remote access to deploy malware and exfiltrate data. This tactic highlights a critical vulnerability in how organizations manage external access to collaboration tools.

In these campaigns, the threat actors send spoofed chat requests that appear to be from legitimate internal aliases like "IT Support" or "System Admin." Once users accept the chat request, they are engaged under the guise of offering technical support or performing security updates. This method of social engineering takes advantage of the inherent trust users place in collaboration platforms, making it easier for attackers to exploit them.

Who's Being Targeted

These phishing attempts are indiscriminate, targeting multiple users within an organization simultaneously. The impersonation of IT support is particularly effective because it plays on the users' trust and urgency. Many employees may not question the legitimacy of a message from someone they believe to be their IT department, especially if it appears to address an urgent issue.

This tactic is especially dangerous as it can lead to widespread access across an organization’s network. Once a threat actor gains access to a single machine, they can deploy malware, exfiltrate sensitive information, or move laterally to other systems within the network.

Signs of Infection

Organizations must be vigilant for specific signs of these phishing attempts. Users should be trained to recognize the following hallmarks of Teams spoofing:

  • External tag: Legitimate internal IT support will never have an "external" tag next to their name.
  • Sense of urgency: Attackers often create a false sense of urgency, claiming there is a security breach or an expired password.
  • Out-of-band verification: Establish policies that require IT to never initiate support sessions without a pre-existing ticket number.

Recognizing these signs can help prevent successful phishing attempts and protect sensitive data from being compromised.

How to Protect Yourself

To mitigate the risks associated with these phishing campaigns, Rapid7 recommends several technical controls:

  • Harden Microsoft Teams settings: Limit external communications to only approved domains. Disable the ability for users to communicate with external Teams users unless necessary.
  • Implement automatic blocking of spoofed messages: Enable Spoof Intelligence within Microsoft 365 security settings to detect and block malicious senders.
  • Disable or harden Quick Assist: If not needed, consider removing or disabling Quick Assist to prevent unauthorized remote access.
  • Train staff: Regularly remind users to look for the external tag and to verify any unsolicited requests for support.

By taking these proactive measures, organizations can significantly reduce their vulnerability to these types of phishing attacks and protect their networks from unauthorized access.

🔒 Pro insight: The use of collaboration tools for phishing reflects a shift in attacker tactics, necessitating enhanced user training and stricter access controls.

Original article from

Rapid7 Blog · Brett Deroche

Read Full Article

Share

Related Pings

HIGHThreat Intel

Cyberattack - Disrupts Parking Payments in Russian City

A cyberattack in Perm, Russia, disrupted parking payments, making them free for several days. City officials confirmed the system is now operational again. This incident highlights ongoing cybersecurity threats affecting urban infrastructure in the region.

The Record·
HIGHThreat Intel

Threat Intel - 2025 Identity Threat Landscape Revealed

Credential theft is skyrocketing, with millions of passwords exposed. Organizations need to act fast to protect sensitive data. Discover how infostealer malware is evolving and what steps to take.

Recorded Future Blog·
HIGHThreat Intel

Threat Intelligence - Key Cyberattack Insights Revealed

A major cyberattack on Stryker disrupts global operations, with Handala Hack claiming responsibility. Other breaches include Telus and Signal, highlighting ongoing threats. Stay alert and informed.

Check Point Research·
HIGHThreat Intel

Threat Intel - Weekly Recap on Chrome 0-Days and Botnets

This week saw critical vulnerabilities in Chrome and AWS breaches. Major botnets like SocksEscort and KadNap are exploiting network devices, posing serious risks. Stay informed and secure your systems!

The Hacker News·
HIGHThreat Intel

Signal Account Takeover - Targeting German Officials Explained

A wave of cyberattacks has targeted German officials, including a former BND VP. Hackers impersonate Signal support to hijack accounts, raising serious security concerns. Authorities urge users to stay vigilant and report suspicious activity.

Security Affairs·
HIGHThreat Intel

Handala Threat Group - Iranian Cyber Operations Unveiled

The Handala threat group is targeting Israel and Western nations with destructive cyber operations. Their activities involve espionage and disruption, raising significant cybersecurity concerns. Organizations must enhance defenses against these emerging threats.

Intel 471 Blog·