Cybercriminals are targeting Microsoft Teams users with βvishingβ attacks.
As Trend Micro initially reported, bad actors are using social engineering techniques through Teams calls to impersonate user clients and gain remote access to their systems.
Vishing, short for βvoice phishing,β is similar to phishing in that it involves attempting to trick someone into providing sensitive information or granting access to a system. However, unlike traditional phishing, vishing is conducted over the phone or through a calling app.
As Trend Micro outlines, the attack began with a flood of phishing emails overwhelming a victimβs account. The cybercriminal then followed up with a phone call, posing as a tech support assistant and offering to βresolveβ the problem they had triggered. This tactic exploits the victimβs frustration and urgency to fix the problem, tricking them into granting access or sharing sensitive information.
Although the attacker, in this instance, failed to install a Microsoft Remote Support app, they successfully convinced the victim to download AnyDesk, a remote access tool.
Trend Microβs team wrote:
Using Vision One, we observed a recent security incident in which a user was targeted by an attacker posing as an employee of a known client on a Microsoft Teams call. This led to the user being instructed to download the remote desktop application AnyDesk, which then facilitated the deployment ofΒ DarkGate malware.β
To deploy the DarkGate malware, which cybercriminals commonly use to steal data and gain control over a victimβs computer, the bad actor used the remote access app to install a PowerShell-based malware dropper on the victimβs system. This malware dropper then fetched the DarkGate malware.
DarkGate operates as a Remote Access Trojan (RAT), allowing the attacker to control the infected system remotely, steal sensitive information, and further compromise it.
The attack was stopped before anything was stolen, but the case illustrates the increasing (and alarming) sophistication of myriad cyberattack strategies and technologies.
A Challenging Cybersecurity Year For Microsoft
Microsoft has mobilised the equivalent of 34,000 full-time engineers for its Secure Future Initiative (SFI), a sweeping effort to enhance its security infrastructure following high-profile breaches.
The first SFI launched in November 2023 after a series of cybersecurity incidents, including the Storm-0558 attack in July 2023. This breach, attributed to Chinese hackers, compromised US government emails through vulnerabilities in Microsoft Exchange Online. In April 2024, the US Cyber Safety Review Board (CSRB) criticised Microsoft for inadequate preventative measures.
In response, Microsoft has fortified its SFI, pledging to adopt the CSRBβs recommendations. The company has also unveiled robust security principles and objectives, underscoring its commitment to strengthening cybersecurity across its platforms.
Moreover, in May, Microsoft announced it wasΒ linking the fulfilment of security goals with executive compensationΒ in an expansion of SFI. That was further expanded upon in August when a leaked Microsoft memo outlined that not producing substantial work focused on security couldΒ negatively impact every workerβs salary increases, promotions, and bonuses. This further extension of that policy to every employee seemingly intends to underscore its commitment to βmaking security (its) top priority, above all elseβ.
Since the news of the large number of full-time SFI engineers broke, however, there have still been notable incidents, of which this vishing story is just one.
For instance, in October, it emerged that the ransomware group Black Basta has adopted a deceptive new tactic: impersonating Microsoft Teams IT support to breach enterprise systems and steal sensitive data. Their approach involves bombarding targeted employees with spam emails and then masquerading as the Microsoft helpdesk to offer assistance in resolving the issue.
