New Microsoft Teams phishing attacks launched by ransomware-linked IAB

Initial access broker Storm-0324, who was previously associated with GandCrab and Sage ransomware distribution as well as the FIN7 hacking group, has been deploying Microsoft Teams phishing attacks since July, BleepingComputer reports. Such attacks, which involve the delivery of phishing lures with links redirecting to a malicious file on SharePoint through Microsoft Teams, were likely facilitated by the open source TeamsPhisher tool, which enables the evasion of incoming file restrictions, a Microsoft report revealed. Exploitation of Microsoft Teams in phishing campaigns has prompted Microsoft to flag threat actors leveraging the technique as "EXTERNAL" users in an effort to prevent compromise. "We have also rolled out enhancements to the Accept/Block experience in one-on-one chats within Teams, to emphasize the externality of a user and their email address so Teams users can better exercise caution by not interacting with unknown or malicious senders. We rolled out new restrictions on the creation of domains within tenants and improved notifications to tenant admins when new domains are created within their tenant," said Microsoft.