COMMENTARY: As more businesses began shifting to remote work during the COVID-19 pandemic in 2020, Microsoft Teams started gaining significant popularity.
More than ever before, employees were utilizing the collaboration app as a means to communicate with their colleagues through chatting, video conferencing, and sharing files. Today, companies and employees all over the world continue to leverage this platform.
Unfortunately, as is the case with many forms of popular technology that reach large amounts of people, Teams is now being utilized by attackers looking to harvest sensitive information and data. Specifically, they are abusing Teams by sending out phishing messages.
Let’s take a look at how this is occurring and what your business can do to stay safe.
Phishy Techniques
Microsoft acknowledges that since April 2024, it has seen “a significant increase in Teams phishing attacks, which have led to endpoint-related incidents, particularly through the abuse of Remote Monitoring and Management (RMM) tools such as Quick Assist.”
Initially, according to Microsoft, the attacks “began with a spam flood, followed by the attacker impersonating the Help Desk on Teams. The attacker would contact the user via Teams, send a malicious link to start the RMM session, and deliver the harmful payload during the session. This would lead to hands-on keyboard activity, data exfiltration, and ultimately result in ransomware attacks.”
Over time, the typical attack method evolved so that attackers now directly reach out to users on Teams, impersonating the service desk. Once the user accepts the Teams invite, Microsoft states, “the attacker provides a SharePoint link containing malicious payloads, which could lead to critical security breaches.”
Additionally, attackers are also “persuading users to install remote access software link AnyDesk and TeamViewer or convincing them to initiate connections via Microsoft’s Quick Assist, which is installed by default in the Windows Operating System.”
How to Not Take the Bait
Phishing attacks in Microsoft Teams can have serious consequences, including data breaches, financial loss, and reputational damage.
However, by implementing strong security measures and educating employees, organizations can significantly reduce the risk of falling victim to these types of attacks.
Here are several steps you can take to protect your organization:
1. User Awareness and Training
The first line of defense against phishing attacks is user awareness. Conduct regular training sessions to educate employees about how phishing works and the signs of suspicious activity.
2. Enable Multi-Factor Authentication (MFA)
Even if attackers manage to obtain a user’s login credentials through a phishing attack, they won’t be able to access the account without the second layer of authentication provided by MFA. Multi-factor authentication is one of the most effective ways to protect user accounts from unauthorized access.
3. Implement Microsoft Defender for Office 365
Microsoft Defender for Office 365 offers anti-phishing features that can help detect and block phishing attempts within Teams, email, and other Microsoft 365 services. It helps protect against malware, unsafe attachments, and malicious links.
4. Limit External Access and File Sharing
Phishing attempts often originate from external sources, so limiting file sharing and external collaboration within Teams can help reduce the risk. Set up policies to restrict the ability of users to share files with external users, especially those that contain sensitive or confidential information.
5. Monitor Teams Activity and Use Conditional Access Policies
Regularly monitor activity within Microsoft Teams to detect unusual behavior that could indicate a phishing attack, such as unauthorized logins or new external contacts being added. You can also implement Conditional Access policies to restrict access based on certain conditions, like location or device health. Additionally, restrict Teams messaging with your company to only allow specific organizations or no external organizations to message internal employees.
Stay Vigilant to Stay Afloat
Phishing attacks in Microsoft Teams represent a growing threat to organizations. However, there are steps you can take to ensure that your company will stay afloat. With the right combination of user training, security tools, and proactive monitoring, organizations can defend against these attacks and safeguard their sensitive information.
Also, by fostering a security-conscious culture, enforcing strong authentication methods, and leveraging Microsoft’s built-in security features, businesses can significantly reduce their vulnerability to phishing attacks in Teams. The more vigilant your organization is, the less likely it is to fall victim to these increasingly sophisticated threats.
MSSP Alert Perspectives columns are written by trusted members of the managed security services, value-added reseller and solution provider channels or MSSP Alert's staff. Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to MSSPAlert.perspectives@cyberriskalliance.com.
