While it is a known fact that phishing, BEC, and collaboration-tool based attacks are becoming more and more prevalent, it is even more interesting to see all three trends within one attack.

In the attack described below, we see how the attacker combines common impersonation techniques with the fact that collaboration tools are being adopted across all enterprises.

Perception Point intercepted a Microsoft phishing attempt which was also concealed by spoofing, which is a BEC-oriented attack. The spoofed address and the cover email were related to Microsoft Teams, a workstream collaboration app from Microsoft.

The email was first sent from a fake customer address. The attacker changed the display name, hoping the victim will not identify the email as phishing.

When the end user clicks the “Reply in Teams” link, it connect him to a Microsoft phishing site.

Although the trigger is an MS Teams URL since Teams is part of the complete Office 365 suite a regular Microsoft phishing site is enough to mislead the user.

Perception Point detected this attack with two different engines. First, our BEC engines identified the attempt to spoof the domain name. Second, our image recognition engine detected the attempt to steal the credentials of the end-user.

Recommendations
(1) Remember that collaboration tools can be also leveraged against your organization. Educate users to remain just as vigilant when communicating within collaboration channels as they are with email.
(2) Make sure passwords are regularly changed.
(3) Implement prevention solutions to ensure the attack is stopped before it even gets in front of your employees.