Fraud Management & Cybercrime , ID Fraud , Social Engineering

Phishing Campaign Mimics Microsoft Teams Alerts

Researchers: Fraudsters Target Office 365 Users to Harvest Credentials
Phishing Campaign Mimics Microsoft Teams Alerts
Fake Microsoft Office 365 landing page that is part of ongoing phishing campaign (Source: Abnormal Security)

Researchers at Abnormal Security have uncovered a phishing campaign that mimics the automated messages of the popular business communication platform Microsoft Teams in an attempt to harvest user’s Office 365 login credentials.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

The use of Microsoft Teams has grown rapidly during the COVID-19 pandemic and shift to remote work, making it an attractive target for fraudsters.

"Teams users generated more than 5 billion meeting minutes in a single day … 69 organizations now have more than 100,000 users of Teams, and over 1,800 organizations have more than 10,000 users of Teams," Microsoft CEO Satya Nadella, said during the company's fourth-quarter financial earnings call in June.

The ongoing phishing campaign is believed to have targeted 15,000 to 50,000 Office 365 users so far, according to the Abnormal Security report.

"Because Microsoft Teams is an instant messaging service, recipients of this notification might be more apt to click on it so that they can respond quickly to whatever message they think they may have missed based on the notification," the Abnormal Security researchers note.


The phishing emails are sent using the display name: "There’s new activity in Teams" to make it look like an automated notification from the messaging platform. The fake message is designed to convince the potential victim that a member of their Team's community is trying to get in contact with them.

The reply option called "Reply In Teams" leads the victim to a fake Microsoft login page where user credentials are harvested, allowing the fraudsters to access to the account and gather more information, according to report.

"The link landing page also looks convincingly like a Microsoft login page with the start of the URL containing 'Microsftteams,' lending further credence," the Abnormal Security researchers note.

Other Attacks

A similar phishing campaign discovered in May spoofed notification from Microsoft Teams to harvest credentials (see: Latest Phishing Campaign Spoofs Microsoft Teams Messages).

Other security analysts have noticed similar campaigns targeting at-home workers who are increasingly reliant on cloud-based services such as Zoom, Teams and Office 365.

In April, the U.S. Cybersecurity and Infrastructure Security Agency published an alert urging organizations to secure cloud-based collaboration services.

Other researchers have found vulnerabilities in Teams itself. Microsoft pushed out a patch in April for a bug that could allow an attacker to take over an organization's accounts through the use of a weaponized GIF image (see:Microsoft Patches Teams Vulnerability).

About the Author

Chinmay Rautmare

Chinmay Rautmare

Senior Correspondent

Rautmare is senior correspondent on Information Security Media Group's Global News Desk. He previously worked with Reuters News, as a correspondent for the North America Headline News operations and reported on companies in the technology, media and telecom sectors. Before Reuters he put in a stint in broadcast journalism with a business channel, where he helped produced multimedia content and daily market shows. Rautmare is a keen follower of geo-political news and defense technology in his free time.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.