Microsoft Blog for MSPs and IT Pros

Security

Phishing in Microsoft Teams | Use these protections

Bymsp4msps

Dec 14, 2024

Did you know that users outside your organization can initiate Teams chats with other members of your team by default in Microsoft 365? Attackers are leveraging this to conduct sophisticated phishing attacks in Teams, impersonating a help desk to trick users into compromising their accounts or devices. In today’s article, I am going to show you more on this attack kill chain and provide a security runbook to help prevent it within your organization.

Attack Flow

Here is a basic example of an attack:

1. An attacker sets up a new M365 tenant to help add to legitimacy of a trusted organization.

2. Knowing a user’s email, they sign them up to a bunch of newsletters, flooding their inbox with a bunch of spam

3. They reach out in Teams chat impersonating a help desk member to fix the spam issue. With the default settings in M365, any external user can initiate a chat with a member of your org.

4. They get the user to accept a remote access session like Quick Assist (a natively installed remote access tool on Windows 😱), Screenconnect, Teamviewer, etc.

5. They leverage their access to tamper protections on the machine (like disabling AV) and install malicious payloads or get the user to step through a AiTM workflow to compromise their account further.

Default Settings

With the default settings in Microsoft 365, any user can search for an external email address in Teams and it will return a value telling you if that user exist or not.

Found and accessible to chat:

Not Found:

By default, users in your organization getting messages from non-whitelisted participants will get a warning to consent before diving into the chat. I think given our typical users track record, they are likely to still blow past this screen. 

Protection Runbook

Its important to call out that as of November of 2024, Microsoft has now put default protections as warning messages for users if Microsoft thinks a chat is phishing/impersonation:

In this example:

  1. The attacker has added their display name as “Microsoft Security Team” 
  2. Their domain looks like Microsoft.com but is in fact Mircosoft..com
As you can see, a user could still bypass this screen themselves which is not ideal. 

1. Lock down chat with External Users in Teams

One of the best protections here is to block external users from chatting with members of the internal org unless they are approved and whitelisted:

  1. Managed Orgs: IT Admins – Manage external meetings and chat with people and organizations using Microsoft identities – Microsoft Teams | Microsoft Learn
  2. NonManaged Orgs: IT Admins – Manage external meetings and chat with people and organizations using Microsoft identities – Microsoft Teams | Microsoft Learn

2. Uninstall or Disable Quick Assist/RMM tools

Quick Assist is on by default on a Windows Device and is used heavily for this attack but any RMM/remote access tool can be leveraged like Screenconnect, Teamviewer, etc. Ensure that only your approved remote access tool is enabled on the device.

Uninstall/Disable: Use Quick Assist to help users | Microsoft Learn

The following KQL Query can also be used in Defender to hunt/alert for this activity:

Hunt for Teams Activity followed by suspicious RMM:

 

let interestingUsers = DeviceProcessEvents

| where Timestamp > ago(1h)

| where isnotempty(InitiatingProcessAccountObjectId)

|where FileName has_any (“quickassist.exe”, “anydesk.exe”, “teamviewer_service.exe”)    // Multiple RMM tools can be abused here

 | project InitiatingProcessAccountUpn;

CloudAppEvents

| where Timestamp > ago(1d)

| where Application == “Microsoft Teams” 

| where ActionType == “ChatCreated” 

| where isempty(AccountObjectId)

| where RawEventData.ParticipantInfo.HasForeignTenantUsers == true 

| where RawEventData.CommunicationType == “OneOnOne” 

| where RawEventData.ParticipantInfo.HasGuestUsers == false 

| where RawEventData.ParticipantInfo.HasOtherGuestUsers == false 

| where AccountId has “@”

| extend TargetUPN = tolower(tostring(RawEventData.Members[1].UPN))

| where TargetUPN  in (interestingUsers )

| extend VictimTenant = tostring(RawEventData.OrganizationId)

| extend AttackerTenant = RawEventData.Members[0].OrganizationId

| extend AttackerUPN = RawEventData.Members[0].UPN

| extend AttackerName = RawEventData.Members[0].DisplayName

3. Ensure you have Tamper Protection on as part of your windows security settings

Tamper protection is a capability in Microsoft Defender for Endpoint/Defender for Business that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. This would help in the event that the attack gained access to the users device through a remote session and was trying to turn off protections like AV and download malware/ransomware. This can be turned on in the Security Admin Center or Intune. It does require that your devices are enrolled into Defender for Business/Defender for Endpoint. 

Tamper Protection: Protect security settings with tamper protection – Microsoft Defender for Endpoint | Microsoft Learn

4. Educate your end-users about tech support scams

As part of our security awareness training, you should be educating your customers/end-users on tech support scams and what to look out for. The following article has some helpful tips:Protect yourself from tech support scams – Microsoft Support

Defense in Depth

I think the above runbook provides good protection but it is obviously not all inclusive of what you can do to help protect this type of attack. Evaluate your security stack to understand what additional layers you can add in here. Examples:

  • Ensuring users aren’t local admins on devices
  • Using link and attachment protections with Defender for Office 365
  • Using Application whitelisting and elevation control on devices
  • Using phishing-resistant MFA

Share with the Community
        

By msp4msps

Related Post

Security

How secure is your Microsoft environment? | Find out in minutes

Dec 14, 2024 msp4msps
Security

Data Protection with Guest Users in Microsoft 365 | Secure Device Access

Nov 25, 2024 msp4msps
Security

My top policies for securing device registration in Microsoft 365

Nov 14, 2024 msp4msps