Microsoft says hackers are ditching malware for social engineering on Teams by simply asking employees for access — and getting it.
A recent surge in impersonation scams has seen hackers posing as IT Desk assistants to bypass security defenses. The attacks rely on real-time social engineering, with threat actors setting up Teams chats that mimic IT support requests. Victims are urged to either approve access or launch remote management sessions, turning simple trusted conversations into a full network compromise.
Because these activities use trusted tools, user-approved actions, and target-specific data, they are significantly more difficult to detect than traditional malware-driven campaigns.
Why Microsoft Teams?
Email has long been the primary means of launching many cyberattacks. That has led to many protections against it. Over time, employees have also been trained to spot phishing emails.
Microsoft Teams, on the other hand, is often used for internal communications, increasing its overall trust among employees.
Email security tends to break down when a threat actor chooses Teams because communication happens in real time. All the attacker needs to do is play the psychology game, which has always been effective in cyber attacks.
The nine steps to a full-blown breach
Microsoft observed that successful breaches carried out using this technique pass through nine stages.
Like every social engineering attack, it typically begins with a polite request aimed at lowering the victim’s suspicion. Although Microsoft mentioned the attackers using Microsoft Security Update, Account Verification, and Spam Filter Update as baits, it could go beyond those. Attackers may also use voice phishing, or vishing, to make the social engineering attempt more convincing.
The goal of the first stage is to gain access to the victim’s corporate network and devices, often by asking them to launch a remote support session via Quick Assist. Quick Assist is an app that lets someone view your screen or, if you allow them, have full remote control of your computer.
Upon getting access, the threat actor scans the victim’s computer, checking privilege levels, network connectivity, potential for lateral movement, and system information. All these are used to determine if the victim is the right fit.
If the victim is a fit, the attacker immediately drops small malicious payloads in trusted locations. Instead of executing these payloads directly, they use legitimate apps to run the payloads via DLL sideloading. That enables them to bypass behavior-based flagging, allowing them to prepare for persistent access and the eventual Command and Control (C2) server communications.
With their malicious payloads running in plain sight, they modify the Windows registry to ensure their payloads keep running after a restart.
Once persistence has been established, the attacker now initiates external communications with its C2 infrastructure via port 443 (HTTPS). Blending with HTTPS traffic allows the communication to look like normal traffic, keeping detection low.
With knowledge gained during reconnaissance, the attacker pivots laterally, targeting high-value assets within their victim’s domain. Observations of attack chains also reveal that attackers employ redundancy techniques to ensure that their foothold remains if their earlier methods of establishing persistent access are disrupted.
The final stage involves data exfiltration from both local and laterally accessed sources. Since this stage is where alarms are more likely to go off, attackers preserve stealth by targeting specific data types, reducing the volume of exfiltrated data.
Ways organizations using Microsoft Teams can stay safe.
Despite its sophistication, certain mitigations can be used to prevent or block this attack.
Enlightenment is an effective mitigation strategy for these kinds of attacks. That is because it blocks the attack from stage one. According to Microsoft, users should also be aware of the approved medium IT support can reach out to and the identifiers they must have. It also recommends that organizations have a unique voice code known by confirmed IT helpdesk personnel, which members can request as confirmation during calls.
Technical security measures include restricting high-risk settings, such as WinRM (used for lateral movement), to need-to-have access, implementing Safe Link warnings, and restricting outbound traffic to low-reputation or new domains. Also, external communications must, by default, be treated as insecure and untrusted.
Also read: Microsoft’s April Windows patches fixed 165 vulnerabilities, including two zero-days, in one of the company’s biggest security updates this year.
Read the full article here
