Microsoft says an preliminary entry dealer recognized for working with ransomware teams has not too long ago switched to Microsoft Groups phishing assaults to breach company networks.
The financially motivated risk group behind this marketing campaign is tracked as Storm-0324, a malicious actor recognized to have deployed Sage and GandCrab ransomware up to now.
Storm-0324 has additionally offered the infamous FIN7 cybercrime gang entry to company networks after compromising them utilizing JSSLoader, Gozi, and Nymaim.
FIN7 (aka Sangria Tempest and ELBRUS) was seen deploying Clop ransomware on victims’ networks. It was additionally beforehand linked to Maze and REvil ransomware earlier than the now-defunct BlackMatter and DarkSide ransomware-as-a-service (Raas) operations.
“In July 2023, Storm-0324 started utilizing phishing lures despatched over Groups with malicious hyperlinks resulting in a malicious SharePoint-hosted file,” Microsoft mentioned on Tuesday.
“For this exercise, Storm-0324 most definitely depends on a publicly out there software referred to as TeamsPhisher.”
This open-source software permits attackers to bypass restrictions for incoming recordsdata from exterior tenants and ship phishing attachments to Groups customers.
It does this by exploiting a safety concern in Microsoft Groups found by Jumpsec safety researchers that Microsoft refused to handle in July after saying that the flaw did “not meet the bar for instant servicing.”
However, the difficulty was additionally exploited by APT29, the Russian International Intelligence Service (SVR) hacking division, in assaults in opposition to dozens of organizations, together with authorities companies worldwide.
Whereas Microsoft didn’t present particulars on the tip objective of Storm-0324’s assaults this time round, APT29’s assaults aimed to steal the targets’ credentials after tricking them into approving multifactor authentication (MFA) prompts.
Immediately, the corporate mentioned that it has since been working to place a cease to those assaults and defend Groups clients.
“Microsoft takes these phishing campaigns very critically and has rolled out a number of enhancements to raised defend in opposition to these threats,” Microsoft mentioned.
In keeping with Redmond, risk actors utilizing these Groups phishing techniques at the moment are acknowledged as “EXTERNAL” customers when exterior entry is enabled inside a corporation’s settings.
“We now have additionally rolled out enhancements to the Settle for/Block expertise in one-on-one chats inside Groups, to emphasise the externality of a person and their e mail tackle so Groups customers can higher train warning by not interacting with unknown or malicious senders,” Microsoft mentioned.
“We rolled out new restrictions on the creation of domains inside tenants and improved notifications to tenant admins when new domains are created inside their tenant.”
After detecting Storm-0324’s Groups phishing assaults, Microsoft suspended all tenants and accounts they used within the marketing campaign.