Ransomware groups are using a new tactic to gain access to corporate networks: phishing Microsoft Teams users. A security researcher has discovered a phishing campaign that targets Microsoft Teams accounts and steals them for sale on the dark web.

The phishing campaign was spotted by Trusec researcher Cedric Pernet, who shared his findings with BleepingComputer. According to Pernet, the campaign uses compromised Microsoft 365 accounts to send messages to other Teams users, pretending to be from the human resources department. The messages contain a ZIP file attachment with a name like “changes to the vacation schedule.zip”, which supposedly contains important information for the recipients.

However, the ZIP file is actually a malicious executable that, when opened, installs a backdoor on the victim’s computer. The backdoor then connects to a command and control server and sends information about the victim’s system, such as the username, domain name, IP address, and Microsoft Teams credentials. The attacker can then use the stolen credentials to access the victim’s Teams account and send more phishing messages to other users.

Pernet told BleepingComputer that he found several Microsoft Teams accounts for sale on a dark web forum, ranging from $100 to $1,500, depending on the size and revenue of the company. The seller claimed to have access to over 50,000 Teams accounts from various industries, such as healthcare, education, finance, and manufacturing. The seller also offered to provide screenshots of the Teams chats as proof of access.

The stolen Teams accounts are likely to be purchased by ransomware groups, who use them as an initial entry point to launch their attacks. Ransomware groups often rely on initial access brokers (IABs), who specialize in breaching corporate networks and selling the access to other cybercriminals. IABs use various methods to gain access, such as exploiting vulnerabilities, brute-forcing passwords, or phishing employees. By buying access from IABs, ransomware groups can save time and resources and focus on encrypting the data and extorting the victims.

Microsoft Teams is a popular collaboration platform that is used by millions of users worldwide, especially during the COVID-19 pandemic. As such, it is also an attractive target for cybercriminals who want to exploit its large user base and the trust that users have in the platform. Microsoft Teams users should be wary of any unsolicited messages or attachments that they receive, and verify the sender’s identity and the content’s legitimacy before opening them. They should also use strong and unique passwords for their Teams accounts, and enable multi-factor authentication (MFA) to prevent unauthorized access.

This phishing campaign is a serious threat that could lead to devastating ransomware attacks. Ransomware groups are constantly looking for new ways to infiltrate corporate networks and cause maximum damage. Phishing Microsoft Teams users is a clever and effective way to do so, as it exploits the human factor and the trust that users have in the platform. Companies should educate their employees about the risks of phishing and how to spot and report suspicious messages. They should also implement security measures such as MFA, endpoint protection, network segmentation, and backup solutions to protect their data and systems from ransomware attacks.