Threat Research

Protecting Against Microsoft Teams Phishing Attacks: Don’t Take the Bait

DarkTrace

Darktrace detected and blocked phishing emails sent via Microsoft Teams that impersonated an international hotel chain. The case shows how anomaly detection and autonomous response can disrupt social-engineering attacks that piggyback on trusted services.

#Darktrace #MicrosoftTeams #InternationalHotelChain #cloud-sharcpoint #SharePoint #TypoSquatting

Keypoints

  • Threat actors used Microsoft Teams as a phishing vector to reach Darktrace customers in the EMEA region.
  • An external user account (with an email address tied to an international hotel chain) created chats and sent a high volume of messages in a short time to internal users.
  • The external actor connected from an unusual IP address in Poland (195.242.125[.]186), divergent from the user’s prior UK activity, signaling suspicious behavior.
  • 21 different external URLs were sent in Teams chats, all involving the domain cloud-sharcpoint[.]com, likely to typosquat a legitimate SharePoint URL.
  • A typo-squatted link led to a fake SharePoint page branded for the hotel chain, containing a document named “New Employee Loyalty Program” that redirected to a Microsoft login credential harvester.
  • Darktrace’s anomaly detection and autonomous response could contain the attack in real time; at the time, autonomous actions required human confirmation.
  • A second, similar campaign targeting the same hotel-chain impersonation emerged about a month later, with variations in the external domain but similar tactics.

MITRE Techniques

  • [T1566.003] Spearphishing via Service – The attackers used Microsoft Teams to launch a phishing attack by delivering messages through a trusted service. “The malicious use of the popular communications platform Microsoft Teams has become widely observed…”
  • [T1566.002] Spearphishing Link – 21 external URLs were sent in Teams chats, including the domain cloud-sharcpoint[.]com, likely aiming to impersonate cloud-sharepoint[.]com with typosquatted links. “Within the 21 Teams chats created by the threat actor, Darktrace identified 21 different external URLs…”
  • [T1566] Phishing – Initial Access – Phishing activity described as initial access technique; the appendix notes “Phishing – Initial Access (T1566)” as the tactic.

Indicators of Compromise

  • [Domain] Malicious phishing domains – cloud-sharcpoint[.]com/[a-zA-Z0-9]{15}, InternatlonalHotelChain[.]sharcpolnte-docs[.]com
  • [IP Address] External Source IP Address – 195.242.125[.]186
  • [File name] Document name on phishing page – New Employee Loyalty Program

Read more: https://darktrace.com/blog/dont-take-the-bait-how-darktrace-keeps-microsoft-teams-phishing-attacks-at-bay

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint