Spear phishing
Today's newsletter is a recap on common or emerging trends observed in the phishing attack landscape for the year 2023. And let’s start by addressing the elephant in the room: once again, usage of deceptive links to impersonate a legitimate company and to steal users information was the number one in phishing attacks, according to Cloudflare (Introducing Cloudflare's 2023 phishing threats report). This phishing method was used in more than 35% of phishing emails. And it still works.
But what were the new methods used by attackers to convince users into clicking on those links?
QR code
QR codes are ubiquitous nowadays. We can find them everywhere, from the tables of our favorite restaurants, popularized during the pandemic as a reduced contact way to share the menu, to the walls of the cities we live in. In addition, an increasing number of legitimate companies use them too for various reasons.
Technically, these small barcode variants allow sending a smartphone’s user to a distant resource in the blink of an eye. No need to launch your web browser, type in the URL in the tiny bar with your frost and numb fingers using an error-prone virtual keyboard in the cold winter wind, just scan the code with your camera and access the link.
But this easy-to-use method is also used by attackers to trick users. It even has its own name: Quishing. Speaking on behalf of the CSIRT team, we have recently seen an increase in phishing email reports containing a QR code.
This technique is particularly effective in obfuscating the malicious target link, which would otherwise be flagged as malicious and blocked by your email security gateway. In addition, using the user’s smartphone to access the link instead of their workstation is very effective to stay undetected by the company’s internet access protection.
It is therefore important for users to apply the usual best practices for every email containing a QR code: if the email is coming from an untrusted source, never scan the QR code - you would never click on a URL link in an unsolicited email, right? Report the email to the dedicated team in your company if you have any doubt regarding the email’s legitimacy.
Teams messages
Teams is now hugely widespread in companies and is the go-to conferencing application, with more than 300 million monthly users in 2023 (Microsoft 2023 Annual Report). As such, it is an ideal entry point for attackers, and at the center of the Midnight Blizzard fairy tale:
Once upon a time, a villain dubbed Midnight Blizzard (How Microsoft names threat actors) decided to target governments, diplomatic entities, non-government organizations (NGOs), and IT service providers primarily in the US and Europe. To do so, the villain had first compromised Microsoft 365 tenants of small companies and renamed the domains to stay undetected. These renamed domains were then used to obtain valid credentials. But some companies used MFA (Multi-Factor authentication) to protect their users, specifically, a form of MFA that requests the user to enter a code in their authenticator application whenever they want to log in.
So the villain had to think of a method to obtain the precious MFA code and came up with this idea: first, send a Teams message masquerading as a technical support or security team member to the well-protected user, asking to accept a chat request. Because yes, it is possible nowadays to contact people from other organizations with Teams. Then, once the targeted user has accepted the request, the villain attempts to connect again to the victim account, and upon receiving the request to enter the code, simply ask the victim via Teams to do so themselves in their Microsoft Authenticator app on their phone. The villain now had access to the compromised user account even though they are using MFA.
Another technique, this time used by Storm-0234 (Malware distributor Storm-0324 facilitates ransomware access | Microsoft Security Blog) consists in sending a Teams message to the victim using TeamPhisher, which permits attaching a document to messages sent to external tenants. This was used to send a malicious SharePoint hosted file with the goal of stealing the victim’s credentials.
Undoubtedly, attackers will find new ways to leverage Teams for malicious purposes in the near future.
Conclusion
As always, you should be extra cautious with links coming from an unknown or untrusted source; this remains true for QR codes and Teams chat invitations.
But remember, if you need help on an incident, scan the following QR code to reach us and our Computer Security Incident Response Team (it's safe, pinky promise!).
