CISA AA20-120A :: Microsoft Teams Phishing Attack

Microsoft Teams

Microsoft Teams provides collaboration services including chat, video conferencing, and file sharing. The goal of this attack is the phishing for Microsoft Office 365 credentials. 

Work-from-Home Workforce

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued Alert AA20-120A. The agency cites the rapid movement to a work-from-home workforce and the quick engagement to use remote workforce collaboration tools. Cyber Defense Contractors states, “It is the immediate need to bring these services online which has users and their organizations implementing tools without sound Cybersecurity practices and safeguards.”

“It is the immediate need to bring these services online which has users and their organizations implementing tools without implementing sound Cybersecurity practices and safeguards.”

Threatpost is reporting that as many as 50,000 accounts have been targeted.

Phishing & Message Hijacking

OODALOOP cites the attacker’s ability to hijack the messaging system in Microsoft Teams.  The Cyber-attack impersonates notifications encouraging the victim to enter their credentials.  Those credentials are then gleaned from the fake notifications.

Mitigation

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) goes on to offer mitigation recommendations which include the following:

  1. Enable multi-factor authentication for administrator accounts.
  2. Assign Administrator roles using Role-based Access Control (RBAC).
  3. Enable Unified Audit Log (UAL).
  4. Enable multi-factor authentication for all users.
  5. Disable legacy protocol authentication when appropriate.
  6. Enable alerts for suspicious activity.
  7. Incorporate Microsoft Secure Store.
  8. Integrate Logs with your Existing SIEM tool.

“The Agency stresses that one should enable multi-factor authentication for administrator accounts as the best technique to mitigate against this threat.”

Zoom

This report comes on the heels of the exploit of the Zoom collaboration tool.  Cyber Defense Contractors states, “It appears that adversaries are targeting essential collaboration tools during a time when the need and demand is very high.  The Pandemic has pushed our work-force to new, and isolated environments where the need for collaboration tools is ever more present.”

“It appears that adversaries are targeting essential collaboration tools during a time when the need and demand is very high.  The Pandemic has pushed our work-force to new, and isolated environments where the need for collaboration tools is ever more present.”

Relevant Errata & Links

Tools

Recent Vulnerabilities & Threats

Hits: 92

Related Articles

Secure Data Wiping & Destruction

Data wiping is an important part of business operations and any information security program. For those that have a Written Information Security Program (WISP) it likely includes the procedures and processes for data wiping and scrubbing of files, directories, and physical storage devices.

Cybersecurity Threat Report for May 14th, 2020

GUARDED: indicates a general risk of increased hacking, virus, or other malicious activity. There are 4 other levels. There’s Low, Elevated, High, and Severe.  From the Center for Internet Security, “The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.”

Responses

Your email address will not be published. Required fields are marked *

  • Sign Up
Lost your password? Please enter your username or email address. You will receive a link to create a new password via email.