Watch out - this fake Microsoft Teams app is actually dangerous malware, here's how to stay protected

3 days ago 4

Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.

(Image credit: Shutterstock / janews)

Attackers use compromised GMX Mail accounts to send fake Microsoft Teams invites with OAuth traps
Victims who authorize the malicious Azure Web App grant access to email, files, and persistent account control
Abnormal AI urges vigilance: verify senders, inspect links, and beware urgent meeting requests

Fraudsters are sending victims fake Microsoft Teams meeting invitations in a bid to steal ogin credentials and achieve persistent access across the Microsoft 365 ecosystem, experts have warned.

Cybersecurity experts from Abnormal AI said they recently observed the campaign in the wild. It starts with a compromised GMX Mail account. This is a free consumer email service from Germany which allows users to create up to ten sender addresses from a single account.

The compromised accounts are used to send fraudulent emails, pretending to come from an HR department of a company, which are designed to look like automated, notification emails, carrying the Teams branding.

Phishing for access

The usual themes are:

A large “Join the meeting now” call-to-action link
A Meeting ID and Passcode section
A fake “Organizer” section styled to mirror authentic Teams invites

If the victim takes the bait and clicks on the provided link, they will be redirected to a compromised Azure Web App that asks the visitor to make an OAuth authorization and grant permissions to the Microsoft account. The crooks tried to mask the fact that this is a web app by titling it “Please confirm attendance - meeting request”.

Granting this malicious web app access gives it permissions to sign in, read the profile, maintain access even after the password is changed, access emails and email data, send emails, steal files, and more.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The researchers believe GMX was chosen for this particular feature, since it allows the attackers to easily rotate identities without setting up new infrastructure, cutting down on time needed to prepare the attack.

Another reason why GMX might have been chosen is the fact that the messages successfully pass SPF, DKIM, and DMARC validation, and end up in people’s inboxes. For Abnormal, this is an “unusual level” of technical legitimacy.

The best way to defend against phishing is to simply think before you click - check the sender’s email address, hover over links to spot fishy redirects, and be wary of emails with a high sense of urgency.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read Entire Article