Safeguarding Microsoft Teams: Emerging Threats and Defence Strategies

Unmasking the Latest Attack Vectors and Fortifying Your Organisation’s Defences

Author:?Destiny Young (He), Tech Infrastructure, IT Operations &?Cybersecurity?Engineer | Privacy Compliance and Governance – NIST, ISO 27001, SP 800-53 | Risk Management |?Threat Intelligence?| Incidence Response | Network &?Cloud Security?| IAM

As Microsoft Teams has become an integral part of workplace communication, cybercriminals have increasingly targeted the platform to exploit vulnerabilities and gain unauthorised access to sensitive information. This article explores recent attacks on Microsoft Teams users and outlines effective strategies to bolster your organisation’s defences.

The Growing Menace of Teams-Based Attacks

With over 280 million monthly active users, Microsoft Teams presents an attractive target for malicious actors. Several high-profile attacks have emerged in recent months, showcasing the evolving tactics employed by cybercriminals:

Midnight Blizzard Campaign

In late 2023, a Russian state-sponsored group known as Midnight Blizzard orchestrated a sophisticated phishing campaign targeting Teams users. The attackers:

1. Compromised existing Microsoft 365 tenants
2. Created new domains mimicking legitimate IT support organisations
3. Used social engineering tactics via Teams messages to steal user credentials

Storm-0324 Threat Actor

Another notable threat group, Storm-0324, has been observed:

1. Sending phishing lures through Teams chats
2. Including links to malicious files hosted on SharePoint
3. Targeting organisations with external access enabled in Teams

DarkGate Malware Distribution

A recent campaign saw threat actors abusing Teams to distribute the DarkGate malware:

1. Compromised Teams accounts sent over 1,000 malicious group chat invites
2. Victims were tricked into downloading files with double extensions (e.g., .pdf.msi)
3. The malware established connections to command-and-control servers

Common Attack Vectors

Cybercriminals are employing various techniques to exploit Microsoft Teams:

1. Impersonation: Creating accounts that mimic legitimate users or IT support staff
2. External Access Abuse: Leveraging organisations’ external communication settings
3. Malicious File Sharing: Distributing infected files through Teams chats
4. URL Manipulation: Replacing benign links with malicious ones in existing messages
5. Meeting Invite Weaponisation: Altering default URLs in meeting invitations

Fortifying Your Teams Defences

To protect your organisation against these evolving threats, consider implementing the following measures:

1. Enhance User Awareness

• Conduct regular security training focused on Teams-specific threats
• Educate staff on identifying suspicious external messages and file attachments
• Encourage reporting of potential phishing attempts

2. Implement Robust Access Controls

• Enable multi-factor authentication for all Teams users
• Restrict resource access to known business devices
• Regularly audit and limit administrator-level service accounts

3. Leverage Microsoft Security Features

• Enable Microsoft 365 auditing for improved visibility
• Implement Safe Links in Microsoft Defender for Office 365
• Utilise conditional access policies in Microsoft Defender for Cloud Apps

4. Manage External Access

• Review and restrict external access settings in Teams
• Consider implementing an allowlist for trusted external domains
• Use eDiscovery to monitor and manage external communications

5. Deploy Advanced Security Solutions

• Invest in AI-powered security tools that analyse message content and context
• Implement solutions that can detect social engineering attempts and payloadless attacks
• Ensure comprehensive monitoring of Teams activities alongside other communication channels

6. Establish Clear Governance Policies

• Develop and enforce a Microsoft Teams governance framework
• Define policies for channel creation, guest access, and file sharing
• Regularly review and update security settings across your Microsoft 365 environment

Conclusion

As Microsoft Teams continues to play a crucial role in modern workplace communication, organisations must remain vigilant against evolving cyber threats. By implementing a multi-layered security approach that combines user education, robust access controls, and advanced threat detection capabilities, businesses can significantly reduce their risk exposure and safeguard sensitive information from malicious actors targeting the Teams platform.

Remember, securing Microsoft Teams is an ongoing process that requires continuous adaptation to emerging threats and regular review of security measures. By staying informed and proactive, organisations can harness the collaborative power of Teams whilst maintaining a strong security posture.