Share this article on:
The Redmond software maker is warning users of its Microsoft Teams chat application of a threat actor providing initial malicious access on behalf of third-party ransomware operators.
The hacker – which Microsoft is calling Storm-0324 but is also known as TA543 and Sagrid by other researchers – normally uses email as its initial infection vector, sending phishing messages purporting to contain important invoice and payment details.
However, since July 2023, Microsoft’s researchers have observed the actor using an open-source tool to spread its lures over Teams.
In both cases, though, once the threat actor has gained initial access, it hands this access off to a known ransomware-as-a-service operator, Sangria Tempest – also known as ELBRUS, Carbon Spider, or FIN7, depending on which researcher you’re talking to.
Historically, Storm-0324 has been observed using complex email chains using established traffic distribution systems that let it detect malware sandboxes and evade detection. The actor’s lures are often financial in nature, such as Quickbooks and DocuSign files, but which are, in fact, infection vectors for a wide range of malware, including infostealers, banking Trojans, and ransomware.
Regardless of the payload, Storm-0324 hosts its files on a Sharepoint site.
To make the initial lures seem more secure than they really are, the threat actor often provides a password to access the malicious documents, a clever social engineering trick that provides the victim with a false sense of security.
The recent Teams activity uses the same Sharepoint functionality to spread its lures but uses a tool called TeamsPhisher to attach files to messages.
“These Teams-based phishing lures by threat actors are identified by the Teams platform as ‘EXTERNAL’ users if external access is enabled in the organisation,” Microsoft warned users in a blog post.
To combat the threat activity, Microsoft has rolled out a number of improvements for Teams.
“In accordance with Microsoft policies, we have suspended identified accounts and tenants associated with inauthentic or fraudulent behaviour,” Microsoft said.
“We have also rolled out enhancements to the Accept/Block experience in one-on-one chats within Teams to emphasise the externality of a user and their email address so Teams users can better exercise caution by not interacting with unknown or malicious senders.”
Microsoft continues to monitor the threat actor and its operations.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.