Microsoft has recently brought attention to a highly-sophisticated and targeted phishing campaign conducted by a notorious threat actor group known as Storm-0324. This group has proven to be relentless in its pursuit of infiltrating corporate networks and has now set its sights on exploiting vulnerabilities within Microsoft Teams.
Microsoft's alert on Storm-0324
Microsoft's Threat Intelligence team has been closely monitoring Storm-0324, also known as TA543 and Sagrid, a financially motivated threat group with a history of deploying ransomware such as Sage and GandCrab.
What is particularly alarming is Storm-0324's collaboration with the notorious FIN7 cybercrime gang, which is involved in deploying Clop ransomware and has been linked to previous ransomware operations such as Maze and REvil.
However, Microsoft detected a shift in Storm-0324's tactics earlier this year. Microsoft's Threat Intelligence team said:
"In July 2023, Storm-0324 began using phishing lures sent over Teams with malicious links leading to a malicious SharePoint-hosted file. For this activity, Storm-0324 most likely relies on a publicly available tool called TeamsPhisher. TeamsPhisher is a Python-language program that enables Teams tenant users to attach files to messages sent to external tenants, which can be abused by attackers to deliver phishing attachments. These Teams-based phishing lures by threat actors are identified by the Teams platform as 'EXTERNAL' users if external access is enabled in the organization."
Microsoft has taken the threat seriously and rolled out several enhancements to protect Teams users. These measures include improved recognition of external users, restrictions on domain creation, and notifications to tenant admins.
Mika Aalto, Co-Founder and CEO at Hoxhunt, discussed the adaptability of cybercriminals and the need for dynamic security behavior training with SecureWorld News:
"Cybercriminals are changing their tactics and exploiting the popularity and trust of communication platforms like Teams and Slack to deliver ransomware and other malware. This particular phishing tool, TeamsPhisher, is publicly available on GitHub, and the cheaper and more available a phishing kit is, the more popular it will be with threat actors.
The rising threat of comms platform attacks highlights the importance of a dynamic security behavior change training program that stresses fast detection and response. New, sophisticated threats will always slip past filters, so it's up to the human layer to spot and eliminate these threats.
Make sure to equip your people with the skills and tools to recognize and easily report something phishy. And reward the savvy threat detectives for keeping everyone else safe. The static, old-school Security Awareness Training (SAT) model of passive e-learning is made for yesterday's attacks, but black hat tactics and technologies are constantly evolving, so users must be prepared for what's new."
Cybercriminals are displaying an unprecedented level of adaptability, making it imperative for organizations to stay ahead of the curve in defending their networks and sensitive data.
As Aalto aptly puts it, the dynamic nature of cyber threats demands a paradigm shift in security behavior training. Fast detection and response, coupled with a strong emphasis on recognizing and reporting suspicious activity, are crucial aspects of modern cybersecurity training.
Microsoft's response to the threat, including the recognition of "EXTERNAL" users and enhanced security measures, demonstrates the company's commitment to protecting its users. However, it also underscores the shared responsibility between technology providers and organizations to defend against evolving threats collaboratively.
Follow SecureWorld News for more stories related to cybersecurity.