Mainstream Technologies

MTI Blog

Security warning, impersonation of MS-Teams links

This is an FYI for everyone using MS-Teams. Please continue to be vigilant for any and all links, even if they at first appear to be from a legit source.

From the following news source:

Two separate attacks have targeted as many as 50,000 different Teams users, with the goal of phishing Office 365 logins.

A convincing cyberattack that impersonates notifications from Microsoft Teams in order to steal the Office 365 credentials of employees is making the rounds, according to researchers. Two separate attacks have targeted as many as 50,000 different Teams users, according to findings from Abnormal Security.

The news comes as the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a warning(link removed) about Office 365 remote-work deployments. “CISA continues to see instances where entities are not implementing best security practices in regard to their O365 implementation, resulting in increased vulnerability to adversary attacks,” the agency said.

In one, employees receive an email that contains a link to a document on a domain used by an established email marketing provider to host static material used for campaigns. If recipients click the link, they’ll be presented with a button asking them to log in to Microsoft Teams – if that button is clicked, they’re taken to a malicious page that impersonates the Microsoft Office login page in order to steal their credentials.

“Attackers utilize numerous URL redirects in order to conceal the real URL used that hosts the attacks,” the firm’s researchers said in an analysis(link removed) released on Friday. “This tactic is employed in an attempt to bypass malicious link detection used by email protection services.” For instance, in one of the attacks, the actual sender email originates from a recently registered domain, “,” which Abnormal Security pointed out is not associated to either Microsoft or the IRS – it’s hidden due to the redirects though, and doesn’t present an obvious red flag to targets.

In the second attack, the email link points to a YouTube page, from which users are redirected twice to finally land on another Microsoft login phishing site.

“These attackers crafted convincing emails that impersonate automated notification emails from Microsoft Teams,” according to the analysis. “The landing pages that host both attacks look identical to the real webpages, and the imagery used is copied from actual notifications and emails from this provider.”

Daniel Weatherly
Director of Security Services

Custom Software Icon

Completely Custom
Software Solutions

Custom Software
Managed Services Icon

Peace of Mind,
Proactive IT Services

Managed Services
Hosting Solutions Icon

Compliance Centric
Hosting and Colocation

Hosting Solutions