If you use team collaboration tools like Microsoft Teams, you already know how useful they can be for boosting productivity both within your organization and with external partners. But there is an emerging cybersecurity threat that you should be aware of.
Common attack method:
A user receives a message from a new contact who appears to be from IT support or Microsoft support. The new contact requests a meeting to fix an urgent issue with the user’s computer. In the meeting, the new contact explains the issue is and requests permission to take remote control of the user’s computer to fix it. Once granted permission by the user, the new contact installs a program on the user’s machine and lets the user know that everything is working great now.
In the example above, the “new user” is a bad actor posing as IT support. They gain the trust of the user and the “fix” they install is actually malicious software that will give the bad actor access to sensitive information.
At a basic level, there is nothing new about this form of attack. It is a form of social engineering–exploiting people to give bad actors access to data they should not have. Bad actors have been using phone and email to perform this kind of attack for decades. There are two novel aspects to this attack method:
- It uses a relatively new communication tool, Microsoft Teams
- The user hands over direct control of their machine
Be aware of your organization’s default settings
Many users are not aware that Microsoft Teams allows for direct messages from external contacts or that users can give over control of their machines to anyone they are on a call with.
When Teams first hit the market, the default setting for receiving external messages was set to “off”–only contacts from “trusted” organizations could contact you. If you received a message, you could be reasonably sure about where it came from and who you were talking to. But the current default settings allow anyone with your contact information to contact you directly via Teams. Users may be under the assumption that if they are contacted by someone claiming to be from their IT department, that they are exactly who they say they are. But that isn’t necessarily the case anymore.
There is a good reason to allow external communications by default–it makes collaboration easier. You and your organization just need to be aware that you can receive communications from anywhere, and just like any form of virtual communication, you have to be skeptical of the information you’re receiving.
Best Practices for Staying Safe
Stay informed. You and your staff should know that this type of attack exists.
Be vigilant. Regardless of where the request is coming from (Teams, phone, email), you and your staff should treat any messages that ask for your credentials or to hand over control of your machine with suspicion.
Get to know your IT techs. As a rule of thumb you should avoid giving remote control of your machine to anyone whose identity you are uncertain of. If someone contacts you saying they are from your IT company and you don’t recognize them, try ending the chat and contacting them directly through another channel like phone or email that you know is legitimate.
Change default setting. External access can be set to restricted (contact us, if you would like us to set that up). But as previously mentioned, external access is a one of the features of Teams. While external access can be misused and exploited, turning it off will also turn off it’s benefits.
Pay attention to new notifications. Microsoft has announced that in February of 2025 they will introduce a new security feature in Teams designed to warn users when they may be targeted by brand impersonation.
If you would like to know more about our cybersecurity solutions, including phishing training to help recognize and prevent social engineering attacks, contact us today.
