You know that moment when you receive a random Teams call and think, “Oh no, did I miss an IT update email?” Well, Russian cybercriminals are counting on it. Sophos has uncovered a scam that turns Microsoft Teams into a tool for delivering ransomware—and it’s so smooth, you might not see it coming.
Russian hackers are posing as IT support on Microsoft Teams to socially engineer employees into allowing remote access. Once in, they deploy ransomware or steal sensitive data. The scam exploits default settings in Microsoft Office 365, allowing external domains to initiate Teams chats or calls.
How It Works:
- Step 1: The scam begins with a flood of emails to the victim, creating chaos.
- Step 2: A follow-up Teams call or chat appears, with hackers posing as IT support.
- Step 3: Victims are tricked into granting remote access through tools like Microsoft’s QuickAssist or Teams’ screen share function.
- Step 4: Hackers gain control, execute malware, and install ransomware, holding sensitive data hostage.
Who’s Targeted:
The scam targets businesses of all sizes, especially those using Office 365. Employees in organizations with outsourced IT support are particularly vulnerable, as they’re used to engaging with unfamiliar support staff.
Real-Life Example:
On U.S. Election Day, an employee working remotely received 3,000 emails within minutes. Amid the chaos, they got a Teams call from someone claiming to be their IT manager. Convinced, they allowed a remote session, enabling the hackers to install malware. While Sophos managed to intercept the ransomware, the breach caused significant disruption.
Why You Should Care:
This scam goes beyond phishing links and malware attachments, relying instead on human psychology and social engineering. The financial and reputational damage of ransomware can cripple organizations, not to mention the potential exposure of sensitive company data.
How to Protect Yourself:
- Restrict External Communication: Configure Office 365 to block Teams calls and chats from external domains, unless explicitly allowed for trusted business partners.
- Train Employees: Educate staff on identifying scams, verifying IT requests, and being skeptical of unsolicited communications.
- Limit Remote Access: Use policies to restrict remote control tools like QuickAssist. Consider alternatives with enhanced security controls.
- Implement Multi-Factor Authentication (MFA): Ensure MFA is enabled for all accounts to add an extra layer of security.
- Monitor Traffic: Regularly check for unusual email or network activity that could indicate a scam is in progress.
Quick Tips & Updates:
- Quick Tip #1: “Did you know? Microsoft Teams’ default settings allow external users to contact your team. Adjusting these settings can significantly reduce exposure.”
- Quick Tip #2: “Pro Tip: Always verify the identity of IT support personnel through official channels before granting remote access.”
Hackers thrive on confusion and urgency, but with the right precautions, we can beat them at their own game. Review your organization’s security settings and spread the word—together, we can stay one step ahead of cybercriminals.
Key Terms Explained:
- Social Engineering: A tactic that manipulates individuals into divulging confidential information or performing actions that compromise security.
- Ransomware: Malicious software that locks or encrypts data, demanding payment for its release.
- Microsoft Teams External Domain: A feature that allows users from outside an organization to initiate communication via Teams.
To read more, kindly find source article here