"Microsoft Teams Phishing: Enterprises Targeted by Ransomware Access Broker"
A threat actor known for providing ransomware groups with initial access to enterprise systems has used Microsoft Teams to phish employees. According to Microsoft threat researchers, Storm-0324 likely relies on the publicly available TeamsPhisher tool for this activity. Storm-0324 is a temporary name designated by Microsoft to this threat actor, suggesting that the company is still not highly confident about the origin or identity of the actor behind the operation. So far, it is known that Storm-0324 has been around for more than eight years and has previously used exploit kits and email-based vectors to deliver various malware payloads, including banking trojans, information-stealing malware, ransomware, and more. Microsoft reports that Storm-0324 began using phishing lures sent over Teams with malicious links, leading to a malicious SharePoint-hosted file in July 2023. However, they do not specify what malicious payload the file contained. They also noted that this particular phishing campaign is unrelated to a similar one conducted by a Russian Advanced Persistent Threat (APT) group. This article continues to discuss the threat actor phishing employees via Microsoft Teams.