Microsoft Teams is a popular communication channel for many organizations. 

Despite that, we’ve only recently started to see attacks on the platform. 

In the last number of months, we’ve covered how the Storm-0324 Threat Group has started to use Teams to deliver their phishing and malware campaigns, as well as other malware attacks. 

Teams has not yet taken off as a primary attack vector. But it is gaining in traction and we expect that to continue. What we’re starting to see is hackers utilizing traditional Business Email Compromise tactics, such as account compromise and spoofed names, over Teams.  

We're calling it Business Communication Compromise. 

This is the fourth evolution of BEC. 

We have written about this in depth before. 

It started as simple user impersonation, where the CEO was spoofed utilizing a Gmail address. We call that BEC 1.0, and it primarily centered around an urgent request, often in the form of purchasing gift cards. 

Then we saw BEC 2.0, which was about compromising partners, and then sending emails on their behalf, often in the form of changing a bank account. 

Next was BEC 3.0, which is the usage of legitimate services to send phishing messages. We’ve seen scores of these, including from popular sites like PayPal and QuickBooks. 

This is what the evolution looks like:

And now, we have BEC 4.0--or BCC, Business Communication Compromise. 

In this attack, Harmony Email Researchers will discuss how hackers are utilizing Teams to send phishing messages.  

  

Email Example  

This email starts as a message from Teams. 

 

It is a typical Teams behavior to receive an email notifying the user of a message. The subject typically is “[Insert name} sent you a message.” 

In this attack, it says “Teams” sent you a message. It says that the end-user has been named the winner of a new iPhone.  

The message comes from Teams Survey, which is a legitimate Teams tool. The email address—noreply@email.teams.microsoft.com--is legitimate, too.  

In order to pull this off, then, there needs to be a compromised user. 

 

Techniques 

We’ve covered how Teams attacks can launch from compromised users since 2020. That saw a compromised Microsoft Teams account in a partner organization, which fooled users into sharing insider information.  When a Microsoft 365 account is compromised, one of the first things hackers check for is if the person has a Teams account. Hackers consider this a high-value account, given the free-flowing of information and data. Attackers are already very adept at compromising Microsoft 365 accounts using traditional email phishing methods. The same credentials work for Teams. 

Attacks that use Teams or Slack as a vector are silent and stealthy, designed to avoid detection. Because of the inherent trust that users grant to Teams or Slack messages, attackers are very careful about potential discovery. Slack and Teams are the preferred internal East-West vector for attackers to spread inside the organization. 

Malware or phishing URLs are specifically targeted to bypass built-in protections. Once inside an organization, an attacker (normally) knows what technology is being used to protect it. An attack that uses Teams as a vector will have already been tested against Microsoft filters. 

This makes these types of attack fairly straightforward and potentially very damaging.  

  

Best Practices: Guidance and Recommendations 

To guard against these attacks, security professionals can do the following: 

  • Implement protection that downloads all files in a sandbox and inspects them for malicious content 
  • Deploy robust, full-suite security that secures all lines of business communication, including Teams 
  • Encourage end-users to reach out to IT when seeing an unfamiliar file