Microsoft Teams Impersonation Attacks
NJCCIC Alert
Original Release Date: 5/8/2020
Summary
Since the increase in remote work, users have become familiar with notifications and invitations from collaboration software providers sent to their inbox. Threat actors are targeting users and impersonating these automated notification emails from Microsoft Teams. They use numerous URL redirects to obfuscate the real URL that hosts the attacks, in order to bypass detection by email protection services. In these attacks, the email contains a link or file that, if clicked, redirects the user to a spoofed Microsoft Office login page. The emails, landing pages, and links appear to be visually convincing and legitimate, potentially resulting in credential compromise and further attacks.
Recommendations
The NJCCIC recommends users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization. Users are advised to avoid clicking links or opening attachments in emails from unknown senders, and exercise caution with emails from known senders. If you are unsure of an email’s legitimacy, contact the sender via a separate means of communication. Users are advised to enable multi-factor authentication where available to prevent account compromise as a result of credential theft. More information about the attacks can be found in the Abnormal Security blog.
The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.
View our Privacy Policy here.
View our Site Index here.