The newest set of tactics, techniques, and procedures (TTPs) from Storm-0324, otherwise known as DEV-0324, reveals their use of Microsoft Teams to deliver malware through phishing messages and attachments. With corporate networks within their reach, this new evolution raises concerns for companies utilizing Microsoft Teams for day-to-day communications.
Analysis:
A publicly available Python-based tool known as TeamsPhisher has been found to most likely be utilized by the ransomware threat actor to conduct the attacks. Once accessing the tool, Storm-0324 can attach files and links to external Teams users, bypassing security procedures that would normally stop internal users from receiving messages from external sources.
In the form of emails, the actor starts their infection chain by typically including carefully crafted invoices or other payment attachments to catch the victims’ eye. When the user clicks on the attachment, they are taken to a SharePoint-hosted archive file that contains embedded JavaScript code set to be executed upon entry. Common vulnerabilities and exploits (CVEs) such as CVE-2023-21715 (link is embedded for more information) are also utilized, allowing Storm-0324 to bypass further security procedures.
Once the JavaScript code begins, a JSSLoader variant DLL is dropped on the victim’s system, prompting Storm-0324 to hand over the rest of the infection chain to another threat actor, Sangria Tempest, to deliver malware such as ransomware. It is important to note that in some cases, the threat actors will utilize passwords and false security implementations to trick the victims into believing the scam.
TeamsPhisher was created by a U.S. Navy red team member last year to raise awareness of this security vulnerability to have it resolved. Microsoft had acknowledged the vulnerability but determined it did not meet the criteria for immediate fixing. However, they have implemented several mitigations to reduce the risk, such as enhancing the “Accept/Block” feature, suspending fraudulent accounts, and improving notifications for new domain creations within tenants.
Mitigation Techniques:
It is crucial to know how to properly defend against phishing attacks whether you utilize Microsoft Teams or another platform, as this type of cyberattack is becoming more popular as time goes on. For this particular attack carried out by both the mentioned threat actors, ensure that you are following the below recommendations to protect your systems:
- Educate employees on what phishing attacks are and how to protect themselves from becoming a victim.
- Enable Phishing-Resistant Authentication measures by using conditional-access authentication practices for mission-critical systems.
- Never click on a link or message containing an attachment in Microsoft Teams from anybody that shows to be an ‘external source’ that is unfamiliar.
Microsoft provides several different tools to help aid in the protection of phishing attacks at your own disposal such as the Microsoft Defender for Office 365 that personally checks the validity of addresses and links. It is important that you utilize these tools handed to you for the safety of your networks.