Microsoft Warns of New Phishing Campaign Leveraging Microsoft Teams

In a recent alert, Microsoft raised a red flag about a fresh phishing campaign orchestrated by an initial access broker, codenamed Storm-0324 (also known as TA543 and Sagrid). This campaign has adopted a novel approach, employing Microsoft Teams messages as bait to infiltrate corporate networks.

History of Storm-0324

The cybercriminal behind Storm-0324 has a history of deploying sophisticated attack sequences, often using invoice- and payment-themed decoy emails to trick users into downloading malicious files. To evade detection, the actor leverages traffic distribution systems like BlackTDS and Keitaro, allowing them to bypass security solutions and redirect victims to malicious download sites.

A Shift in Tactics and Using Microsoft Teams

Microsoft’s Threat Intelligence team has been closely monitoring Storm-0324’s activities. What sets this campaign apart is its departure from traditional email-based initial infection methods. Instead, since July 2023, the phishing lures in this campaign have received a makeover.

They are now sent via Microsoft Teams, with malicious links leading to a malevolent ZIP file hosted on SharePoint. To achieve this, the attacker utilizes an open-source tool named TeamsPhisher, exploiting a vulnerability first highlighted by JUMPSEC in June 2023.


Storm-0324 operates as a payload distributor, offering services that facilitate the propagation of various malicious payloads through evasive infection chains. This includes downloaders, banking trojans, ransomware, and modular toolkits like Nymaim, Gozi, TrickBot, and more.

Security Enhancements and Microsoft’s Remediation

This disclosure comes amidst a surge in ransomware attacks in 2023. Kaspersky recently detailed the tactics of the ransomware group known as Cuba, which employs a double extortion model to target global companies. The group exploits various vulnerabilities, including ProxyLogon, ProxyShell, ZeroLogon, and security flaws in Veeam Backup & Replication software.

Microsoft has taken steps to enhance security and mitigate the threat. The company has suspended accounts and tenants linked to suspicious behavior. Recognizing the handoff of access to other threat actors by Storm-0324, Microsoft emphasizes the importance of identifying and remediating its activity to prevent more devastating follow-on attacks, such as ransomware.

Cautionary Steps following Microsoft Teams attack

The increase in ransomware attacks underscores the need for robust cybersecurity practices. The U.K. National Cyber Security Centre (NCSC) and National Crime Agency (NCA) emphasized that most ransomware incidents result from opportunistic initial access and poor cyber hygiene, rather than sophisticated attack techniques.

In conclusion, the use of Microsoft Teams as a phishing lure in the Storm-0324 campaign highlights the evolving tactics of cybercriminals. Vigilance, security enhancements, and proactive measures are crucial to thwart such threats in an era of escalating cyberattacks.

For more news and updates on Cybersecurity, visit The Cybersecurity Club.

Post navigation

Leave a Reply

Your email address will not be published. Required fields are marked *

Spyware Attack on Mobile Devices of Members of Civil Society

New Report Exposes Shocking Data Breach Cover-Ups in Companies

Using biometrics to fight back against rising synthetic identity fraud

New Evidence Unveils More Chinese Spy Balloons in the Sky