The Recon SOC is seeing an uptick in ransomware groups successfully gaining initial access to environment's by impersonating IT support staff and calling users directly over Microsoft Teams. This sophisticated social engineering attack leverages the trust users place in familiar communication platforms to bypass traditional security controls.
The attack methodology is deceptively simple yet highly effective: attackers impersonate IT support staff and contact employees through unsolicited Microsoft Teams calls. Using generic display names like "IT Support", these cybercriminals create a sense of legitimacy while maintaining anonymity.
How the Attack Works
Once the attacker establishes contact, they send unsuspecting users a link to a fraudulent support website designed to harvest their credentials. They will also trick the victim into authorizing multi-factor authentication. The victim is typically told there's an urgent IT issue requiring their attention. They may even have the user share their screen for "troubleshooting" and to help them through the process.
What users don't realize is that the attacker is simultaneously authenticating over the organization's VPN using the harvested credentials and MFA request. By the time the user completes the "support" process, the attacker has already gained authenticated access to the corporate network.
Prevention Strategies
User Training and Awareness
The most critical defense against these attacks is comprehensive user education. Organizations should implement regular security awareness training that specifically addresses:
- Recognition of social engineering tactics - Train users to be suspicious of unsolicited IT support calls and calls that include urgent requests for credentials or remote access. Users should understand that display names in Microsoft Team's can be spoofed similar to email.
- Verification procedures - Establish clear protocols for employees to verify legitimate IT support requests.
- Reporting mechanisms - Ensure users know how to quickly report suspicious contacts to the security team.
Microsoft Teams Administrative Controls
Microsoft provides built-in controls to help organizations prevent these attacks at the platform level. Administrators can configure Teams to block inbound calls from external, untrusted organizations across the entire tenant.
To configure external access controls in Microsoft Teams:
- Navigate to the Microsoft Teams Admin Center
- Go to Users > External access
- Configure People in my organization can communicate with Teams users from:
- Select "Only specific external domains" instead of "All external domains"
- Add only trusted partner domains to the allowed list
- Under Teams and Skype for Business users in external organizations, ensure appropriate restrictions are enabled
- Consider disabling Allow users in my organization to receive video calls from Skype users if not needed
Additional Microsoft recommendations:
- Enable Safe Links and Safe Attachments in Microsoft Defender for Office 365
- Configure Conditional Access policies to require additional verification for external communications
- Implement App protection policies to prevent data sharing during screen sharing sessions
- Review and restrict Guest access settings appropriately
Detection and Threat Hunting
Leveraging Microsoft 365 Audit Logs
The good news for security teams is that detection is absolutely possible. Microsoft 365 audit logs provide comprehensive visibility into cross-organizational Teams communications, including:
- Attacker's domain information - Logs capture the external organization details
- Spoofed display names - The fake identity used by attackers is recorded
- Screen sharing activities - Logs show if users shared their screens with external parties
- Call duration and participants - Detailed communication metadata for investigation
CISA Resources for Implementation
The Cybersecurity and Infrastructure Security Agency (CISA) has published an excellent resource specifically addressing Microsoft 365 logging and threat hunting capabilities. Their implementation playbook provides detailed guidance on:
- Configuring expanded cloud logging
- Setting up effective log retention policies
- Building threat hunting queries for Teams-related attacks
- Integrating M365 logs with SIEM platforms
Essential Resource: Microsoft Expanded Cloud Logs Implementation Playbook
