New Storm-0324 Tactics: Microsoft Teams Used for Network Hacking

Microsoft has issued a warning about a new phishing campaign that utilizes Microsoft Teams as a platform for penetrating corporate networks. The campaign is associated with a threat cluster known as Storm-0324, also identified as TA543 and SAGRID.

Security experts have observed that Storm-0324 has recently changed its attack methods since July 2023. While email was previously the primary vector of infection, the attackers are now actively exploiting Microsoft Teams chats. The attackers leverage an Open Source tool to send phishing messages directly through the platform.

Storm-0324 offers services for distributing malicious programs, including banking trojans and reconnaissance programs. In previous attacks, cybercriminals used phishing emails with attachments disguised as invoices and other financial documents. The new attack method utilizing Microsoft Teams poses an elevated threat to corporate networks as many companies rely on this platform for internal and external communication.

According to Microsoft, Storm-0324 is an initial access broker (IAB) that sells access to compromised networks. This campaign allows other cybercriminal groups to gain access to perform post-exploitation activities and deploy various harmful software, including MOSTOMERS programs.

In July 2023, the attack method was updated. Phishing baits were sent via Teams with malicious links leading to a malicious ZIP file hosted on SharePoint. This was accomplished using an open source tool called Teamsphisher, which allows Team users to attach files to messages sent to external users. The tool exploits a security vulnerability in the service to bypass restrictions on communication with external users outside the target organization.

Microsoft has implemented several security enhancements to mitigate this threat. The company has blocked certain accounts and customers associated with suspicious or fraudulent activity. Microsoft emphasizes that identifying and eliminating Storm-0324 activity can prevent more dangerous subsequent attacks, such as data extortion.

/Reports, release notes, official announcements.