The rise of remote work has brought about a new wave of collaboration tools, with Microsoft Teams being one of the most widely used platforms. However, with the increased reliance on these tools, threat actors have found new ways to exploit them, with Microsoft warning of threat actors abusing external Microsoft Teams collaboration. One of the most insidious tactics is impersonation, where hackers pose as IT staff to gain access to sensitive information and data.
The Nine Sneaky Helpdesk Impersonation Tactics
Microsoft has identified nine different tactics used by threat actors to impersonate IT staff and gain access to sensitive information. These tactics include:
1. Posing as IT Staff
Threat actors often pose as IT staff to gain access to sensitive information. They may claim that they need to perform a security update or address an account issue, and ask the user to grant them remote access. This tactic is particularly effective because it exploits the trust that employees have in their IT department.
Example:
Imagine an employee receives a message from someone claiming to be a member of the IT department. The message reads: “Hi, I’m John from the IT department. I need to perform a security update on your machine. Can you please grant me remote access?” The employee, trusting the message, grants the hacker remote access, allowing them to gain access to sensitive information.
2. Using Legitimate Tools for Access and Lateral Movement
Threat actors often use legitimate tools to gain access to sensitive information. They may use commercial remote management software, such as Quick Assist, or the Rclone utility to transfer files to an external cloud storage service. This tactic is particularly effective because it exploits the trust that employees have in legitimate tools.
Example:
Imagine an employee receives a message from someone claiming to be a member of the IT department. The message reads: “Hi, I’m John from the IT department. I need to perform a security update on your machine. Can you please use Quick Assist to grant me remote access?” The employee, trusting the message, uses Quick Assist to grant the hacker remote access, allowing them to gain access to sensitive information.
3. Abusing Windows Remote Management (WinRM)
Threat actors often abuse Windows Remote Management (WinRM) to move laterally across the network. They may use WinRM to target domain-joined systems and high-value assets such as domain controllers. This tactic is particularly effective because it exploits the trust that employees have in legitimate tools.
Example:
Imagine an employee receives a message from someone claiming to be a member of the IT department. The message reads: “Hi, I’m John from the IT department. I need to perform a security update on your machine. Can you please use WinRM to grant me remote access?” The employee, trusting the message, uses WinRM to grant the hacker remote access, allowing them to move laterally across the network.
4. Dropping Malicious Payloads
Threat actors often drop malicious payloads in user-writable locations such as ProgramData. They may use a trusted, signed application (e.g., Autodesk, Adobe Acrobat/Reader, Windows Error Reporting, data loss prevention software) to execute the malicious code through DLL side-loading. This tactic is particularly effective because it exploits the trust that employees have in legitimate tools.
Example:
Imagine an employee receives a message from someone claiming to be a member of the IT department. The message reads: “Hi, I’m John from the IT department. I need to perform a security update on your machine. Can you please use Autodesk to grant me remote access?” The employee, trusting the message, uses Autodesk to grant the hacker remote access, allowing them to execute the malicious code.
5. Using HTTPS-Based Communication
Threat actors often use HTTPS-based communication to blend in with normal outbound traffic. They may use a trusted, signed application (e.g., Autodesk, Adobe Acrobat/Reader, Windows Error Reporting, data loss prevention software) to communicate with the command-and-control (C2) server. This tactic is particularly effective because it exploits the trust that employees have in legitimate tools.
Example:
Imagine an employee receives a message from someone claiming to be a member of the IT department. The message reads: “Hi, I’m John from the IT department. I need to perform a security update on your machine. Can you please use Adobe Acrobat to grant me remote access?” The employee, trusting the message, uses Adobe Acrobat to grant the hacker remote access, allowing them to communicate with the C2 server.
6. Establishing Persistence
Threat actors often establish persistence by modifying the Windows Registry. They may use a trusted, signed application (e.g., Autodesk, Adobe Acrobat/Reader, Windows Error Reporting, data loss prevention software) to execute the malicious code and modify the registry. This tactic is particularly effective because it exploits the trust that employees have in legitimate tools.
Example:
Imagine an employee receives a message from someone claiming to be a member of the IT department. The message reads: “Hi, I’m John from the IT department. I need to perform a security update on your machine. Can you please use Windows Error Reporting to grant me remote access?” The employee, trusting the message, uses Windows Error Reporting to grant the hacker remote access, allowing them to establish persistence.
7. Collecting and Exfiltrating Sensitive Data
Threat actors often collect and exfiltrate sensitive data using Rclone or similar tools. They may use a trusted, signed application (e.g., Autodesk, Adobe Acrobat/Reader, Windows Error Reporting, data loss prevention software) to collect and exfiltrate data to external cloud storage points. This tactic is particularly effective because it exploits the trust that employees have in legitimate tools.
Example:
Imagine an employee receives a message from someone claiming to be a member of the IT department. The message reads: “Hi, I’m John from the IT department. I need to perform a security update on your machine. Can you please use Rclone to grant me remote access?” The employee, trusting the message, uses Rclone to grant the hacker remote access, allowing them to collect and exfiltrate sensitive data.
8. Using Multiple Personas to Trick Multiple Employees
Threat actors often use multiple personas to trick multiple employees. They may create multiple identities and use them to contact different employees, tricking them into granting remote access. This tactic is particularly effective because it exploits the trust that employees have in their IT department.
Example:
Imagine an employee receives a message from someone claiming to be a member of the IT department. The message reads: “Hi, I’m John from the IT department. I need to perform a security update on your machine. Can you please grant me remote access?” The employee, trusting the message, grants the hacker remote access, allowing them to gain access to sensitive information.
You may also enjoy reading: Maja Matarić's 7 Breakthroughs in Socially Assistive Robotics.
9. Blending in with Normal Operations
Threat actors often blend in with normal operations to avoid detection. They may use legitimate tools and applications to move laterally across the network, targeting domain-joined systems and high-value assets such as domain controllers. This tactic is particularly effective because it exploits the trust that employees have in legitimate tools.
Example:
Imagine an employee receives a message from someone claiming to be a member of the IT department. The message reads: “Hi, I’m John from the IT department. I need to perform a security update on your machine. Can you please use Quick Assist to grant me remote access?” The employee, trusting the message, uses Quick Assist to grant the hacker remote access, allowing them to blend in with normal operations.
Protecting Yourself from Microsoft Teams Impersonation Tactics
To protect yourself from Microsoft Teams impersonation tactics, it is essential to be aware of the tactics used by threat actors. Here are some steps you can take to protect yourself:
1. Treat External Teams Contacts as Untrusted
Treat external Teams contacts as untrusted by default. This means that you should not grant remote access to anyone who is not a member of your organization.
2. Restrict or Monitor Remote Assistance Tools
Restrict or monitor remote assistance tools such as Quick Assist and WinRM. This will prevent hackers from using these tools to gain access to sensitive information.
3. Limit WinRM Usage
Limit WinRM usage to controlled systems. This will prevent hackers from using WinRM to move laterally across the network.
4. Use HTTPS-Based Communication
Use HTTPS-based communication to blend in with normal outbound traffic. This will prevent hackers from detecting your activity.
5. Establish Persistence
Establish persistence by modifying the Windows Registry. This will prevent hackers from detecting your activity.
6. Collect and Exfiltrate Sensitive Data
Collect and exfiltrate sensitive data using Rclone or similar tools. This will allow you to detect and respond to potential security breaches.
7. Use Multiple Personas to Trick Multiple Employees
Use multiple personas to trick multiple employees. This will allow you to detect and respond to potential security breaches.
8. Blend in with Normal Operations
Blend in with normal operations to avoid detection. This will allow you to detect and respond to potential security breaches.
