How are attackers using Teams and Outlook to breach your security?
29th January 2025
Recently, IT security company Sophos published a report* revealing that two different groups of cyber criminals abused Microsoft 365 policy to infiltrate devices, aiming to steal data and deploy ransomware. How did this happen and what can you do to prevent it?
One malicious group used a method of email bombing, sending countless messages in a short space of time: up to 3000 emails were sent in a 45 minute period. With users panicking, no alarms went off when they were contacted via Microsoft Teams by someone outside of their organisation with the name ‘Help Desk Manager’ – if you’re using a manager service provider for your IT security this would seem routine.
However, this was one of the bad actors, who then instructed the user to allow remote screen control through Teams – a form of vishing. In doing this, the attacker could infect the user’s device with malware.
The other criminal group used the same tactic, spamming users with emails and then reaching out claiming to be legitimate IT support. However, instead of using the exploit in Teams, this group instead instructed users to install Microsoft Quick Assist. From there, the attacker had complete control, allowing then to spread malware on the device.
These attacks are extremely dangerous: by using legitimate programs in Microsoft 365, as well as manipulative social engineering by causing users to panic and posing as helpful IT support, no red flags are raised until it is too late.
What can you do to avoid this situation? Restrict access within Teams so you are unable to receive calls from untrusted sources. In the same way you should regulate Quick Assist to prevent anyone downloading it – only your IT support should have access.
Additionally, if there is an issue with Teams or Outlook, like an overload of spam, do not trust anyone contacting you that you don’t know. Instead, call your IT team to confirm if it is them.
Finally, and most importantly, make your entire team aware of this attack so they know how to avoid similar occurrences in the future.
If you have any further questions please contact us HERE