Open Forum

 View Only

Security BUZZ - How Hackers are Using Microsoft Services to Trick You

  • 1.  Security BUZZ - How Hackers are Using Microsoft Services to Trick You

    Posted 12 days ago

    Cyberattacks will continue to evolve over time. Techniques that become publicly known are often modified, leading hackers to adopt slightly different approaches. Microsoft Teams, SharePoint, and OneDrive are increasingly popular tools for attackers, primarily because more than half of the world's population utilizes them. In the past two months, security companies have detected a series of attacks displaying patterns consistent with well-known Eastern European ransomware operators.

    In the earlier attack, victims received a flood of Teams messages that appeared to come from their company's IT department or a trusted colleague. The messages asked them to connect using Quick Assist, which is a legitimate (Microsoft) tool for remote support. However, the messages were actually sent by a hacker who had compromised a legitimate Teams account. If the victim is granted access through Quick Assist, the hacker gains complete control of the computer. Subsequently, a cleverly disguised package of malware was delivered via a SharePoint link.

    A month later, another attack employed a different but equally effective strategy. First, the attackers flooded victims' inboxes with spam emails. Next, someone posing as technical support contacted the victims via (compromised) Teams (account), claiming they could help resolve the spam issue the users were experiencing. To gain the users' trust, the attacker might even refer to specific details about the spam emails received. Finally, they requested that the users utilize Quick Assist so they could "fix" the problem remotely.

    In both instances, hackers specifically targeted critical infrastructure organizations as well as businesses in the finance and insurance sectors. They utilized legitimate OneDrive to communicate with the victims' computers and to host malware. The use of approved services and Java-based malware makes it challenging for modern security technologies to detect these attacks.

    Key takeaways:

    • Always be suspicious of unsolicited messages, especially those requesting access to your computer or asking you to download files
    • Verify the sender's identity through a separate channel before taking any action. For example, if someone claiming to be from IT contacts you through Teams, call the IT helpdesk directly to confirm
    • Don't click on links from unknown senders or those that seem out of place. Hover over the link to see the full URL before clicking. If anything looks suspicious, don't click it
    • Familiarize yourself with the tools IT uses for support. If someone contacts you out of the blue, report it to your security team immediately
    • User MFA for all Microsoft 365 applications. That makes it harder for hackers with stolen user names and passwords to get into your company's Teams
    • Unless imperative to your business, restrict guest access to your Microsoft Teams tenant

    #ALTACyber



    ------------------------------
    Genady Vishnevetsky
    Chief Info Security Officer
    Stewart Title Guaranty Company
    Houston TX
    ------------------------------
    ALTA Marketplace