Microsoft says an preliminary entry dealer identified for working with ransomware teams has lately switched to Microsoft Groups phishing assaults to breach company networks.
The financially motivated risk group behind this marketing campaign is tracked as Storm-0324, a malicious actor identified to have deployed Sage and GandCrab ransomware up to now.
Storm-0324 has additionally offered the infamous FIN7 cybercrime gang entry to company networks after compromising them utilizing JSSLoader, Gozi, and Nymaim.
FIN7 (aka Sangria Tempest and ELBRUS) was seen deploying Clop ransomware on victims’ networks. It was additionally beforehand linked to Maze and REvil ransomware earlier than the now-defunct BlackMatter and DarkSide ransomware-as-a-service (Raas) operations.
“In July 2023, Storm-0324 started utilizing phishing lures despatched over Groups with malicious hyperlinks resulting in a malicious SharePoint-hosted file,” Microsoft stated on Tuesday.
“For this exercise, Storm-0324 most certainly depends on a publicly accessible software referred to as TeamsPhisher.”
This open-source software permits attackers to bypass restrictions for incoming recordsdata from exterior tenants and ship phishing attachments to Groups customers.
It does this by exploiting a safety subject in Microsoft Groups found by Jumpsec safety researchers that Microsoft refused to deal with in July after saying that the flaw did “not meet the bar for rapid servicing.”
However, the difficulty was additionally exploited by APT29, the Russian International Intelligence Service (SVR) hacking division, in assaults towards dozens of organizations, together with authorities businesses worldwide.
Whereas Microsoft didn’t present particulars on the tip aim of Storm-0324’s assaults this time round, APT29’s assaults aimed to steal the targets’ credentials after tricking them into approving multifactor authentication (MFA) prompts.
In the present day, the corporate stated that it has since been working to place a cease to those assaults and shield Groups clients.
“Microsoft takes these phishing campaigns very critically and has rolled out a number of enhancements to higher defend towards these threats,” Microsoft stated.
In keeping with Redmond, risk actors utilizing these Groups phishing techniques at the moment are acknowledged as “EXTERNAL” customers when exterior entry is enabled inside a company’s settings.
“We’ve got additionally rolled out enhancements to the Settle for/Block expertise in one-on-one chats inside Groups, to emphasise the externality of a person and their e-mail tackle so Groups customers can higher train warning by not interacting with unknown or malicious senders,” Microsoft stated.
“We rolled out new restrictions on the creation of domains inside tenants and improved notifications to tenant admins when new domains are created inside their tenant.”
After detecting Storm-0324’s Groups phishing assaults, Microsoft suspended all tenants and accounts they used within the marketing campaign.