Microsoft Warns of Attackers Abusing Teams for Session Hijacking
Threat Actor Storm-2372 Abusing Microsoft Teams for Malware Delivery and Session Hijacking, Microsoft Warns
Related Entities
Full Report
Executive Summary
Microsoft has identified a campaign by the threat actor Storm-2372 that abuses legitimate functionalities within Microsoft Teams to conduct social engineering attacks. The primary goals of the campaign are to steal authentication tokens and hijack user sessions. By leveraging the trusted nature of the Teams platform, attackers are able to send malicious files and links that users are more likely to interact with. This tactic bypasses traditional email security gateways and exploits the inherent trust users place in internal communication tools. Security teams are advised to increase monitoring of Teams-related authentication and OAuth activity.
Threat Overview
The threat actor, Storm-2372, initiates attacks by sending messages or files directly to targets within Microsoft Teams. These messages may originate from externally connected accounts or potentially from already compromised internal accounts. The core of the attack involves tricking a user into a malicious action, such as clicking a link or opening a file, which initiates a fraudulent process.
The attackers are specifically abusing device code authentication flows. This method involves presenting the user with a code and a URL. The user is instructed to open the URL on another device (like their phone) and enter the code to grant the attacker's application access to their account. Because the request appears to be part of a legitimate workflow within Teams, users may approve it without realizing they are granting an attacker persistent access to their account.
Technical Analysis
The campaign's TTPs focus on abusing application features and social engineering:
- Initial Access/Execution:
T1566.002 - Spearphishing Link: Attackers send malicious links through Teams chat, a vector that is often less scrutinized than email.T1204.002 - User Execution: Malicious File: Malicious files are shared directly through Teams, leveraging the platform's file-sharing feature.
- Credential Access:
T1650 - Acquire Access Token: The primary goal is to steal OAuth access tokens by tricking users into completing a device authentication flow for a malicious application.T1539 - Steal Web Session Cookie: Once an access token is stolen, the attacker can use it to hijack the user's active session and access resources as that user.
- Defense Evasion:
T1070.004 - Indicator Removal: File Deletion: Attackers may delete their initial messages or files from Teams to hide their tracks.
Impact Assessment
- Account Takeover: The most direct impact is the complete takeover of the victim's Teams account and any other Microsoft 365 services accessible via the stolen token.
- Data Exfiltration: Attackers can access and exfiltrate sensitive data from SharePoint, OneDrive, and private chats.
- Internal Phishing: The compromised account becomes a highly effective platform for launching further social engineering attacks against other employees, as messages will come from a trusted internal source.
- Business Email Compromise (BEC): The access could be leveraged to conduct financial fraud by impersonating the compromised employee.
IOCs
No specific Indicators of Compromise were provided in the source articles.
Cyber Observables for Detection
DFIR teams should hunt for the following:
| Type | Value | Description |
|---|---|---|
| Log Source | Azure AD Sign-in Logs | Monitor for sign-in events with Device code authentication flow, especially from unexpected locations or for unusual applications. |
| API Endpoint | https://login.microsoftonline.com/common/oauth2/deviceauth |
Look for an unusual number of requests to the device authentication endpoint. |
| Log Source | Microsoft 365 Unified Audit Log | Search for Consent to application events, looking for users granting permissions to new or unfamiliar applications. |
| User Account Pattern | Anomalous external user chats | Monitor for a spike in chat invitations from external tenants, which could be a precursor to a widespread campaign. |
Detection & Response
- Audit Azure AD Logs: Security teams must closely monitor Azure Active Directory sign-in logs. Filter for
Device codeauthentication events and investigate any that seem anomalous. D3FEND's Authentication Event Thresholding (D3-ANET) can help automate this. - Review OAuth Consents: Regularly audit application consent grants in the Microsoft 365 Unified Audit Log. Look for users granting consent to newly created or suspicious-looking multi-tenant apps.
- User-Reported Phishing: Encourage users to report any suspicious messages or file shares within Teams, even if they come from apparently internal colleagues.
- Session Revocation: If a compromise is suspected, immediately revoke all refresh tokens for the affected user account in Azure AD to terminate the attacker's session.
Mitigation
- User Training (M1017): Educate users specifically on the risks of social engineering within collaboration platforms like Teams. Show them what a device code authentication prompt looks like and instruct them to never approve one they did not initiate themselves.
- Configure External Access Policies: Restrict the ability of users to communicate with all external tenants. Configure an allow-list for trusted external organizations only. This is an application of Application Configuration Hardening (D3-ACH).
- Configure Application Consent Policies (M1054): In Azure AD, configure user consent settings to prevent users from consenting to applications from unverified publishers or applications that are not on an approved list. This directly blocks the malicious app registration part of the attack.
- Conditional Access Policies: Implement strict Conditional Access policies that require compliant devices or trusted locations for accessing corporate resources, which can help block session hijacking attempts from untrusted attacker machines.
Timeline of Events
MITRE ATT&CK Mitigations
Train users to be suspicious of unexpected authentication prompts or file shares, even within trusted applications like Microsoft Teams.
Configure application consent policies in Azure AD to prevent users from granting permissions to unauthorized or unverified applications.
Mapped D3FEND Techniques:
Configure Teams external access policies to restrict communication to an allow-list of trusted external organizations, limiting the initial attack surface.
D3FEND Defensive Countermeasures
To directly counter the Storm-2372 campaign, administrators must harden Microsoft Teams and Azure AD application consent settings. First, configure Teams external access policies to block communication from all external tenants by default, and only add trusted partner organizations to an allow-list. This severely limits the attacker's ability to initiate contact. Second, and more critically, configure Azure AD 'User consent settings' to prevent users from granting consent to applications. Instead, enable the 'admin consent workflow' so that all requests for new application permissions are routed to administrators for review. This single change would have blocked the device code authentication flow attack, as the user would not have had the rights to approve the malicious application's access to their account.
Implement automated detection rules in your SIEM (like Microsoft Sentinel) to monitor and alert on suspicious authentication events related to this attack. Create a rule that specifically triggers on 'Device code' authentications in Azure AD sign-in logs. The alert should be enriched with contextual information like the user's location, IP address, and the application requesting consent. A high-severity alert should be generated if a device code authentication is completed from an IP address outside the user's typical geolocation or if it's for a newly created or previously unseen application. This provides an automated, near-real-time detection of a potential session token theft in progress, allowing the SOC to quickly investigate and revoke the user's session tokens before significant damage occurs.
For post-compromise detection, use a Cloud Access Security Broker (CASB) or Microsoft Defender for Cloud Apps to analyze web session activity. Once an attacker hijacks a session using a stolen token, their behavior will likely differ from the legitimate user. Configure UBA policies to detect impossible travel (e.g., the user's account is accessed from two distant locations simultaneously), anomalous data access (e.g., mass file downloads from SharePoint), or suspicious configuration changes (e.g., creating a new mail forwarding rule). These policies analyze the activity within the hijacked session, providing a secondary layer of detection that can catch the attacker even if the initial token theft was missed. This is crucial for identifying the blast radius of a compromised account and initiating the incident response process.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats