Govt abstract
Whereas most finish customers are well-acquainted with the hazards of conventional phishing assaults, akin to these delivered by way of electronic mail or different media, a big proportion are probably unaware that Microsoft Groups chats may very well be a phishing vector. Most Groups exercise is intra-organizational, however Microsoft allows Exterior Entry by default, which permits members of 1 group so as to add customers outdoors the group to their Groups chats. Maybe predictably, this characteristic has offered malicious actors a brand new avenue by which to take advantage of untrained or unaware customers.
In a latest instance, an AT&T Cybersecurity Managed Detection and Response (MDR) buyer proactively reached out with issues a couple of person who was exterior to their area sending an unsolicited Groups chat to a number of inner members. The chat was suspected to be a phishing lure. The client offered the username of the exterior person in addition to the IDs of a number of customers who had been confirmed to have accepted the message.
With this info, the AT&T Cybersecurity MDR SOC crew was in a position to determine the focused customers, in addition to suspicious file downloads initiated by a few of them. A evaluate of the techniques and indicators of compromise (IOCs) utilized by the attacker confirmed them to be related to DarkGate malware, and the MDR SOC crew was in a position to head off the assault earlier than any important injury was accomplished.
Investigation
Preliminary occasion evaluate
Indicators of compromise
The client offered the under screenshot (Picture 1) of the message that was obtained by one among their customers and which was suspected to be a phishing lure. An essential element to notice right here is the “.onmicrosoft.com” area identify. This area, by all appearances, is genuine and most customers would most likely assume that it’s reliable. OSINT analysis on the area additionally exhibits no stories for suspicious exercise, main the MDR SOC crew to imagine the username (and probably your entire area) was probably compromised by the attackers previous to getting used to launch the phishing assault.
Picture 1: Screenshot from buyer of obtained message
Expanded investigation
Occasions search
Performing a search of the exterior username within the buyer’s atmosphere led the MDR crew to over 1,000 “MessageSent” Groups occasions that had been generated by the person. Though these occasions didn’t embody the IDs of the recipients, they did embody the exterior person’s tenant ID, as displayed in Picture 2 under.
Picture 2: Occasion log exhibiting exterior person tenant ID
A Microsoft 365 tenant ID is a globally distinctive identifier assigned to a company. It’s what permits members of various corporations to speak with each other by way of Groups. So long as each members of a chat have legitimate tenant IDs, and Exterior Entry is enabled, they’ll alternate messages. With this in thoughts, the MDR SOC crew was in a position to question occasions that contained the exterior person’s tenant ID and located a number of “MemberAdded” occasions, that are generated when a person joins a chat in Groups.
Picture 3: “MemberAdded” occasion
These occasions embody the sufferer’s person ID, however not the exterior person ID. Along with the exterior tenant ID, the MDR SOC crew was in a position to positively hyperlink these “MemberAdded” occasions again to the attacker by way of the “ChatThreadId” area, which was additionally current within the unique “MessageSent” occasions. The client was supplied with an inventory of customers who accepted the exterior chat and was then in a position to start figuring out probably compromised property and accounts for remediation.
Occasion deep-dive
The MDR SOC crew continued to drill down on the phished customers to find out the exact nature of the assault. They subsequently found three customers who had downloaded a suspicious double extension file. The file was titled “Navigating Future Adjustments October 2023.pdf.msi” (Picture 4).
Picture 4: Suspicious double extension file obtain
Double extension recordsdata are generally utilized by attackers to trick customers into downloading malicious executables, because the second extension, .msi on this case, is normally hidden by the filesystem. The person believes they’re downloading a PDF for enterprise use, however as a substitute receives a malicious installer.
The MDR SOC crew was in a position to present the filename and related hashes to the client who in flip handed that info onto their endpoint detection and response (EDR) supplier so the file may very well be added to the blocklist. The details about the file downloads additionally enabled the client to start figuring out affected property for isolation and remediation.
Reviewing for added indicators
The client later offered the malicious file to the MDR SOC crew for additional evaluation. Upon detonation in a sandbox, the file tried to beacon out to the area hgfdytrywq[.]com, which is a confirmed DarkGate command-and-control (C2) area, in accordance with Palo Alto Networks (https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/primary/2023-10-12-IOCs-for-DarkGate-from-Groups-chat.txt). The filename can also be similar to the recordsdata listed by Palo Alto Networks and the double-extension file is a identified DarkGate tactic.
Remediation
The MDR SOC offered the client with an inventory of customers who had obtained the message, customers who had been confirmed to have accepted the message, and customers who had been recognized as having initiated a obtain of the malicious .msi file. The client used this info to provoke password resets for the affected customers and to find out which property had been contaminated in order that they may very well be remoted and rolled again to a clear state. The DarkGate file hashes and paths had been blocklisted by the client’s EDR resolution and the C2 area was blocked. The client was additionally suggested to contemplate disabling Groups Exterior Entry until it was crucial for enterprise use.
Suggestions
E-mail phishing assaults have lengthy been a menace to organizations, and they’re going to proceed to be, however phishing by way of Microsoft Groups is a comparatively new phenomenon. This assault vector is a reminder of the necessity for fixed vigilance and person coaching within the face of evolving threats.
Except completely crucial for every day enterprise use, disabling Exterior Entry in Microsoft Groups is advisable for many corporations, as electronic mail is mostly a safer and extra carefully monitored communication channel. As at all times, finish customers must be skilled to concentrate to the place unsolicited messages are coming from and must be reminded that phishing can take many types, past the standard electronic mail. Not everyone seems to be on the identical crew!
