- Attackers use compromised GMX Mail accounts to send fake Microsoft Teams invites with OAuth traps
- Victims who authorize the malicious Azure Web App grant access to email, files, and persistent account control
- Abnormal AI urges vigilance: verify senders, inspect links, and beware urgent meeting requests
Fraudsters are sending victims fake Microsoft Teams meeting invitations in a bid to steal ogin credentials and achieve persistent access across the Microsoft 365 ecosystem, experts have warned.
Cybersecurity experts from Abnormal AI said they recently observed the campaign in the wild. It starts with a compromised GMX Mail account. This is a free consumer email service from Germany which allows users to create up to ten sender addresses from a single account.
The compromised accounts are used to send fraudulent emails, pretending to come from an HR department of a company, which are designed to look like automated, notification emails, carrying the Teams branding.
Phishing for access
The usual themes are:
A large “Join the meeting now” call-to-action link
A Meeting ID and Passcode section
A fake “Organizer” section styled to mirror authentic Teams invites
If the victim takes the bait and clicks on the provided link, they will be redirected to a compromised Azure Web App that asks the visitor to make an OAuth authorization and grant permissions to the Microsoft account. The crooks tried to mask the fact that this is a web app by titling it “Please confirm attendance – meeting request”.
Granting this malicious web app access gives it permissions to sign in, read the profile, maintain access even after the password is changed, access emails and email data, send emails, steal files, and more.
The researchers believe GMX was chosen for this particular feature, since it allows the attackers to easily rotate identities without setting up new infrastructure, cutting down on time needed to prepare the attack.
Another reason why GMX might have been chosen is the fact that the messages successfully pass SPF, DKIM, and DMARC validation, and end up in people’s inboxes. For Abnormal, this is an “unusual level” of technical legitimacy.
The best way to defend against phishing is to simply think before you click – check the sender’s email address, hover over links to spot fishy redirects, and be wary of emails with a high sense of urgency.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/krBVBETP6cmxBcihGXQFy8-970-80.jpg
Source link
