Executive abstract
While most finish customers are well-acquainted with the risks of conventional phishing assaults, resembling these delivered by way of e-mail or different media, a big proportion are probably unaware that Microsoft Teams chats might be a phishing vector. Most Teams exercise is intra-organizational, however Microsoft permits External Access by default, which permits members of 1 group so as to add customers outdoors the group to their Teams chats. Perhaps predictably, this characteristic has offered malicious actors a brand new avenue by which to use untrained or unaware customers.
In a latest instance, an AT&T Cybersecurity Managed Detection and Response (MDR) buyer proactively reached out with issues a few consumer who was exterior to their area sending an unsolicited Teams chat to a number of inner members. The chat was suspected to be a phishing lure. The buyer offered the username of the exterior consumer in addition to the IDs of a number of customers who have been confirmed to have accepted the message.
With this data, the AT&T Cybersecurity MDR SOC workforce was capable of determine the focused customers, in addition to suspicious file downloads initiated by a few of them. A assessment of the ways and indicators of compromise (IOCs) utilized by the attacker confirmed them to be related to DarkGate malware, and the MDR SOC workforce was capable of head off the assault earlier than any important harm was achieved.
Investigation
Initial occasion assessment
Indicators of compromise
The buyer offered the beneath screenshot (Image 1) of the message that was obtained by one in every of their customers and which was suspected to be a phishing lure. An necessary element to notice right here is the “.onmicrosoft.com” area title. This area, by all appearances, is genuine and most customers would most likely assume that it’s professional. OSINT analysis on the area additionally exhibits no studies for suspicious exercise, main the MDR SOC workforce to imagine the username (and presumably all the area) was probably compromised by the attackers previous to getting used to launch the phishing assault.
Image 1: Screenshot from buyer of obtained message
Expanded investigation
Events search
Performing a search of the exterior username within the buyer’s surroundings led the MDR workforce to over 1,000 “MessageSent” Teams occasions that have been generated by the consumer. Although these occasions didn’t embody the IDs of the recipients, they did embody the exterior consumer’s tenant ID, as displayed in Image 2 beneath.
Image 2: Event log displaying exterior consumer tenant ID
A Microsoft 365 tenant ID is a globally distinctive identifier assigned to a company. It is what permits members of various corporations to speak with each other by way of Teams. As lengthy as each members of a chat have legitimate tenant IDs, and External Access is enabled, they will trade messages. With this in thoughts, the MDR SOC workforce was capable of question occasions that contained the exterior consumer’s tenant ID and located a number of “MemberAdded” occasions, that are generated when a consumer joins a chat in Teams.
Image 3: “MemberAdded” occasion
These occasions embody the sufferer’s consumer ID, however not the exterior consumer ID. In addition to the exterior tenant ID, the MDR SOC workforce was capable of positively hyperlink these “MemberAdded” occasions again to the attacker by way of the “ChatThreadId” discipline, which was additionally current within the authentic “MessageSent” occasions. The buyer was supplied with a listing of customers who accepted the exterior chat and was then capable of start figuring out probably compromised property and accounts for remediation.
Event deep-dive
The MDR SOC workforce continued to drill down on the phished customers to find out the exact nature of the assault. They subsequently found three customers who had downloaded a suspicious double extension file. The file was titled “Navigating Future Changes October 2023.pdf.msi” (Image 4).
Image 4: Suspicious double extension file obtain
Double extension information are generally utilized by attackers to trick customers into downloading malicious executables, because the second extension, .msi on this case, is normally hidden by the filesystem. The consumer believes they’re downloading a PDF for enterprise use, however as an alternative receives a malicious installer.
The MDR SOC workforce was capable of present the filename and related hashes to the shopper who in flip handed that data onto their endpoint detection and response (EDR) supplier so the file might be added to the blocklist. The details about the file downloads additionally enabled the shopper to start figuring out affected property for isolation and remediation.
Reviewing for extra indicators
The buyer later offered the malicious file to the MDR SOC workforce for additional evaluation. Upon detonation in a sandbox, the file tried to beacon out to the area hgfdytrywq[.]com, which is a confirmed DarkGate command-and-control (C2) area, in line with Palo Alto Networks (https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-12-IOCs-for-DarkGate-from-Teams-chat.txt). The filename can also be similar to the information listed by Palo Alto Networks and the double-extension file is a identified DarkGate tactic.
Remediation
The MDR SOC offered the shopper with a listing of customers who had obtained the message, customers who have been confirmed to have accepted the message, and customers who have been recognized as having initiated a obtain of the malicious .msi file. The buyer used this data to provoke password resets for the affected customers and to find out which property have been contaminated in order that they might be remoted and rolled again to a clear state. The DarkGate file hashes and paths have been blocklisted by the shopper’s EDR resolution and the C2 area was blocked. The buyer was additionally suggested to think about disabling Teams External Access except it was mandatory for enterprise use.
Recommendations
Email phishing assaults have lengthy been a risk to organizations, and they’re going to proceed to be, however phishing by way of Microsoft Teams is a comparatively new phenomenon. This assault vector is a reminder of the necessity for fixed vigilance and consumer coaching within the face of evolving threats.
Unless completely mandatory for day by day enterprise use, disabling External Access in Microsoft Teams is advisable for many corporations, as e-mail is mostly a safer and extra carefully monitored communication channel. As all the time, finish customers must be educated to concentrate to the place unsolicited messages are coming from and must be reminded that phishing can take many kinds, past the everyday e-mail. Not everyone seems to be on the identical workforce!