In the following incident, it is very interesting to see how the attackers have improved their messaging and framework significantly to try trick the end-users. Just in the design there are several aspects to point out that are used to lure the end-user to follow the path as set by the attacker:

  1. Display name spoofing: The attacker has made the Display Name appear to be coming from the employees local Microsoft Teams.
  2. Embedded design: The attacker has embedded an image very similar to the official Microsoft Teams invitation page.
  3. Personalization: The attacker has included the end-users email address in the invitation itself.
  4. The text/content: Made to look like the “Admin” of the organization is sending the invite.

As can be seen in the screenshot below, the link that is embedded within the “Accept Collaboration” button leads to a malicious site.

Screenshot of original email

How Perception Point Prevented the Attack.

Perception Point intercepted this attempt by using two different engines, both of them are part of our Anti-phishing engines stack:

  • Image Recognition: Advanced algorithms scanned the email and URL to detect the use of the MS Teams assets for malicious purposes.
  • Display-name spoofing: An engine that checks the meta data of the email to detect if the domain displayed is legitimate or not.
Screenshot of how the email was handled by our system

IOCS.

  • Sender: Microsoft Teams” <no-reply-exchangelab-apcprd01.documentation.protection.ocbc@uniguegroup.com>
  • IP: 192.236.161.148
  • Malicious URL: https[:]//sites[.]google[.]com/view/ueeueecs/home