Kevin Mitnick — founder of Mitnick Security and KnowBe4’s Chief Hacking Officer — helps organizations find and remediate vulnerabilities through penetration testing to avoid cybersecurity incidents. However, that isn’t the whole story.
Kevin is also a social engineering expert who uses his knowledge and experience to teach businesses how to defend themselves when threat actors target employees as easy access points.
Microsoft Teams is one of the most used cloud-based collaboration tools, and has gained popularity in the workplace. It is far more than a messaging app; inside Teams, you can collaborate and communicate in real time as well as share files and apps. Recently, a new trend has emerged in which threat actors see Teams as a perfect vulnerability into your organization through the use of social engineering.
Although social engineering can take many forms, today, we’ll focus on how Microsoft Teams can be used by a threat actor to steal employee information and credentials, as well as how KnowBe4's Kevin Mitnick security awareness training can help your organization be prepared no matter what.
What Is a Phishing Attack?
Social engineering is when a threat actor tricks an individual into performing an action or providing information that the threat actor wants. In many cases, social engineering attacks take the form of phishing.
A phishing attack, often automated through the use of bots, is traditionally defined as when a threat actor sends an email that seems to be from a reputable and trusted source. In these phishing emails, the threat actor claims that the receiver of the email must perform an action, such as verifying an account, resetting a password, or more.
Often, the threat actor will use scare tactics — such as saying the victim’s social account will be removed if not “updated” — in order to get the information needed from their target. A threat actor can then use stolen information to compromise accounts and gain unauthorized access to their victim’s organization.
Microsoft Teams Attack: An Interesting Approach
This unique phishing technique doesn’t target victims through email at all. Instead, a threat actor creates a Microsoft Teams account using an email and User ID similar to what the victim might expect. Without a User Admin changing the settings, users with outside domain names can send messages to employees who have a different domain.
For example, a Lenovo employee named Mark Smith may be at a domain that uses Lenovo, such as Mark@lenovonews.com. The threat actor could use Lenovo Help Desk as their Microsoft Teams name, and helpdesk@lenovo.us.org as their domain. Even though it’s a completely different domain, it doesn’t matter. The threat actor can still launch the attack. Using a token hacking tool, the threat actor would enter the target’s domain and get a token code that the victim will think is a registration key.
Lack of User Awareness Training Is a Vulnerability
When the threat actor sends a message to Mark pretending to be a Lenovo Helpdesk automated message, it is unlikely that Mark will recognize the signs of a social engineering attack — similar to what actually happened to Uber. This is partly due to the fact that Mark, like most employees, has probably had no user awareness training. He may not even know that social engineering is a real threat.
Additionally, the threat actor would likely use a pretexting template to send Mark a very believable message prompting him to use the fake registration key. An untrained eye like Mark’s wouldn’t notice that this message is coming from an external source, even though it would say so directly in the Microsoft Teams platform.
The Pretexting Template To Fool the Target
The message Mark would receive is created using a template that says something like:
Dear Mark,
Lenovo has identified a critical issue with Microsoft Office that may result in your data loss. As a result, the Help Desk has configured a new registration key that needs to be configured for your device.
Please click https://microsoft.com/devicelogin, enter your new registration key, #### and click OK. Next, click on your name in the “Pick an Account” dialogue box. Next, click on Continue when prompted to sign in.
If you have questions or issues, please call the Help Desk at ###-###-####.
Thank you,
Lenovo Help Desk Support
This is a powerfully influential tactic because, as Kevin likes to say, “People will do more to avoid a loss than to realize a gain.”
The message offers a solution to rescue Mark, giving him a new “registration key” that needs to be configured for his device. The link in the message for Mark to click is a URL from Microsoft.com, which looks completely legitimate.
Kevin Mitnick Security Awareness Training helps employees to look for red flags — such as the “external” source message and the suspiciously different “lenovo.us.org” domain name in this example — so that your organization is less likely to fall prey to malicious attacks. If Mark were trained, he would not click the link, and he’d report the suspicious activity to his supervisor. Unfortunately in this scenario, Mark clicks the link.
Access Granted: The Environment Is Compromised
Once Mark clicks the link, he’ll follow the prompts and enter the code that Mark thinks is the registration key. Once this key is entered, it’s game over. The victim authorized the code. That means the threat actor could execute Microsoft APIs and infiltrate all the users in the environment.
Taking the Attack a Step Further
With access to Mark’s Microsoft 365 account, the threat actor has access to all Microsoft components, including Mark’s emails. The threat actor may be able to find private data, information to use in later attacks on Lenovo, and more. Additionally, other tools could be used to export all data from Mark’s account. This data would then be imported into another tool such as Bloodhound to run specific queries like an analysis of all the domain administrators. Ultimately, the threat actor would be able to identify something more important than typical user data — the global administrators in this environment.
These global administrators can then be targeted through Microsoft Teams or a more traditional phishing email in order to potentially gain access to the organization’s internal systems and data, without using brute-force hacking techniques at all.
Why Is Security Awareness Training Important?
The typical mitigation strategies simply don't work for an attack through Microsoft Teams. Proofpoint and Mimecast, although typically used as mitigation tools for phishing attacks, are designed to be used for email-based phishing scams — not for other platforms.
Since there is no way to physically safeguard against many types of social engineering tactics, it’s crucial to utilize user awareness training to help prevent phishing attacks that could compromise your entire organization.
Learn how to avoid future attacks with KnowBe4's Kevin Mitnick Security Awareness Training.
