A threat actor known as Storm-0324, DEV-0324, Sagrid, or TA543 has been observed abusing the Microsoft Teams messaging app to conduct phishing operations.
According to Microsoft, Storm-0324 is a financially motivated threat actor that operates as an initial access broker, providing a service to distribute the payloads of other attackers through phishing and exploit kit vectors.
Storm-0324’s tactics focus on highly evasive infection chains with payment and invoice lures. The threat actor was previously seen distributing the JSSLoader malware, which facilitates access for Sangria Tempest (Clop, Elbrus, Carbon Spider, FIN7), a ransomware-as-a-service (RaaS) operation. Storm-0324 was also linked in the past to the distribution of the Gozi infostealer and the Nymaim downloader and locker.
The group’s most recent campaign, which has been ongoing since July this year, uses an open-source tool called TeamsPhisher to send messages with malicious attachments to organizations that allow Teams external communications.
“In July 2023, Storm-0324 began using phishing lures sent over Teams with malicious links leading to a malicious SharePoint-hosted file,” Microsoft said in a report. “For this activity, Storm-0324 most likely relies on a publicly available tool called TeamsPhisher.”
TeamsPhisher is a Python-based tool that provides a fully automated attack and allows to bypass Microsoft Team’s file-sending restraints to deliver malware from an external account.
A similar tactic was previously observed in attacks by the Russian threat actor APT29 (Midnight Blizzard) linked to Russia's Foreign Intelligence Service (SVR). However, Microsoft notes that Storm-0324’s attack is not related to the Midnight Blizzard social engineering campaigns over Teams.
The tech giant said it made a number of security improvements to thwart the threat and that it suspended identified accounts and tenants associated with inauthentic or fraudulent behavior.