Storm-0324: A threat actor targets Microsoft Teams for phishing campaigns

Microsoft has raised the alarm over the activities of a threat actor with ties to ransomware groups that have now turned to distributing phishing lures through Microsoft Teams chats. This actor, identified as Storm-0324, is notorious for acting as an initial access broker, infiltrating victim systems and subsequently selling this access to other cybercriminals, often culminating in ransomware attacks.

Starting from July 2023, Microsoft’s security researchers observed Storm-0324 distributing malicious payloads through Microsoft Teams chats using an open-source tool. Unlike the unrelated Midnight Blizzard social engineering campaigns observed in May 2023, Storm-0324’s activities are more focused on gaining initial access to corporate networks and facilitating follow-on attacks by other threat actors.

Storm-0324’s tactics involve deploying phishing lures via Teams chats, where attackers send victims links leading to malicious SharePoint-hosted files. To streamline their operations, the cybercriminals employ a tool called TeamsPhisher, enabling them to attach files to messages sent to external tenants within Teams. Interestingly, these Teams-based phishing lures are categorized as “EXTERNAL” users by the Teams platform, assuming external access is enabled within the organization.

Storm-0324 is known for its evasion techniques and has used payment and invoice-themed lures to deceive victims in the past. The group has also distributed malware on behalf of well-known Russian cybercrime gangs such as FIN7 and Cl0p.