- Attackers use compromised GMX email accounts to send fake invitations to Microsoft Teams with OAuth traps
- Victims who authorize the malicious Azure Web App grant access to email, files, and persistent account control.
- Abnormal AI urges vigilance: check senders, inspect links, and beware of urgent meeting requests
Scammers are sending victims fake invitations to Microsoft Teams meetings in a bid to steal login credentials and gain persistent access across the entire Microsoft 365 ecosystem, experts have warned.
Cybersecurity experts at Abnormal AI said they recently observed the campaign in the wild. It starts with a compromised GMX email account. This is a free email service for consumers in Germany that allows users to create up to ten sender addresses from a single account.
Compromised accounts are used to send fraudulent emails, purporting to come from a company’s human resources department, which are designed to look like automated notification emails, bearing Teams branding.
Phishing to access
Common topics are:
A great call to action link “Join the meeting now”
A meeting ID and password section
A fake “Organizer” section designed to mirror authentic Teams invitations
If the victim takes the bait and clicks on the provided link, they will be redirected to a compromised Azure web application that asks the visitor to perform an OAuth authorization and grant permissions to the Microsoft account. The criminals tried to mask the fact that it is a web application by titling it “Please RSVP – meeting request.”
Granting access to this malicious web application gives it permissions to log in, read profile, maintain access even after changing password, access emails and email data, send emails, steal files and more.
The researchers believe GMX was chosen for this particular feature as it allows attackers to easily rotate identities without setting up new infrastructure, reducing the time needed to prepare the attack.
Another reason why GMX could have been chosen is the fact that messages successfully pass SPF, DKIM and DMARC validation and end up in people’s inboxes. For Abnormal, this is an “unusual level” of technical legitimacy.
The best way to defend against phishing is to simply think before you click: check the sender’s email address, hover over links for suspicious redirects, and be wary of emails with a high sense of urgency.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
