13 September 2023

Storm-0324 caught abusing Microsoft Teams for phishing


Storm-0324 caught abusing Microsoft Teams for phishing

A threat actor known as Storm-0324, DEV-0324, Sagrid, or TA543 has been observed abusing the Microsoft Teams messaging app to conduct phishing operations.

According to Microsoft, Storm-0324 is a financially motivated threat actor that operates as an initial access broker, providing a service to distribute the payloads of other attackers through phishing and exploit kit vectors.

Storm-0324’s tactics focus on highly evasive infection chains with payment and invoice lures. The threat actor was previously seen distributing the JSSLoader malware, which facilitates access for Sangria Tempest (Clop, Elbrus, Carbon Spider, FIN7), a ransomware-as-a-service (RaaS) operation. Storm-0324 was also linked in the past to the distribution of the Gozi infostealer and the Nymaim downloader and locker.

The group’s most recent campaign, which has been ongoing since July this year, uses an open-source tool called TeamsPhisher to send messages with malicious attachments to organizations that allow Teams external communications.

“In July 2023, Storm-0324 began using phishing lures sent over Teams with malicious links leading to a malicious SharePoint-hosted file,” Microsoft said in a report. “For this activity, Storm-0324 most likely relies on a publicly available tool called TeamsPhisher.”

TeamsPhisher is a Python-based tool that provides a fully automated attack and allows to bypass Microsoft Team’s file-sending restraints to deliver malware from an external account.

A similar tactic was previously observed in attacks by the Russian threat actor APT29 (Midnight Blizzard) linked to Russia's Foreign Intelligence Service (SVR). However, Microsoft notes that Storm-0324’s attack is not related to the Midnight Blizzard social engineering campaigns over Teams.

The tech giant said it made a number of security improvements to thwart the threat and that it suspended identified accounts and tenants associated with inauthentic or fraudulent behavior.

Back to the list

Latest Posts

Fake WinRAR exploit drops VenomRAT

Fake WinRAR exploit drops VenomRAT

The fake code was based on a publicly available PoC script that exploited an SQL injection vulnerability in GeoServer.
21 September 2023
Gold Melody IAB exploits flaws in Oracle, Apache, Sitecore software to hack into corporate networks

Gold Melody IAB exploits flaws in Oracle, Apache, Sitecore software to hack into corporate networks

The group relies on web shells, built-in operating system utilities, and proprietary RATs.
21 September 2023
Piilopuoti dark web marketplace shut down by police

Piilopuoti dark web marketplace shut down by police

The Finnish Customs said it seized Piilopuoti’s servers and extracted their content.
20 September 2023