Cloud-based office productivity solutions, including Microsoft 365 (formerly Office 365) and Google Workspace (formerly G Suite), enable remote workers to communicate, collaborate, and work from anywhere. Unfortunately, cybercriminals are using these productivity apps to breach organizational networks. One of the attacks currently making the rounds is a phishing scheme that leverages the automated notifications that Microsoft and Google apps send to employees whenever they’re mentioned in a group chat or a document.
Microsoft Teams Phishing Scheme
SC Magazine reports on a phishing scheme targeted at users of Microsoft Teams, a group communication and chat tool. Employees receive an email with the subject header, “There’s new activity in Teams.” The body of the email notifies them that their co-workers are trying to reach them and contains three hyperlinks: “Microsoft Teams,” “[contact] sent a message in instant messenger,” and “Reply in Teams.”
The email is designed to look like legitimate communication from Microsoft, the type that remote employees receive all day long. If the employee clicks on any of the links, they’re taken to a phishing website that looks like the real Microsoft login page. Should the employee not realize that they’ve landed on a phishing page and enter their login credentials, those credentials, as well as any other information stored on their account, will immediately be compromised.
Google Workspace Phishing Scheme
Insider Paper reports on a similar scheme currently plaguing users of Google Workspace. A Keeper employee was targeted last week; thankfully, the employee realized they were being phished. In this scheme, recipients receive an email notification that appears to be a legitimate Google Workspace notification, with the subject header, “[Contact]@gmail.com mentioned you in [document name].” The body of the email invites the recipient to respond to the message and view the document on Google Drive.
While many of these phony documents that Google Workspace users are complaining about on Google’s support forums are apparently Google Slides presentations, the email the Keeper employee received linked to a PDF file, and back in February, Consumer Affairs reported on a scheme that leveraged notifications in Google Docs documents.
Whatever type of file is linked to, clicking on the phony notification could result in users unknowingly downloading malware, being redirected to a phishing site that’s designed to look like Google’s login page, or both.
Protecting Your Company from Notification Phishing Scams
Vigilance is key, but password security helps, too.
- Advise your employees not to blindly click on notification emails, even if they seem to come from a legitimate vendor like Microsoft or Google. Yes, we get a lot of them, all day long, but it’s important to read them carefully. If the recipient doesn’t recognize the document they were tagged in, they should contact the person who allegedly sent it and verify that the notification is legitimate.
- Require that employees use multi-factor authentication (2FA) on all accounts that support it. With 2FA enabled, even if an employee’s credentials are compromised, cybercriminals won’t be able to access their account without the second authentication factor.
- Require the use of a password manager such as Keeper. In addition to giving IT admins visibility into employee password practices and enabling them to enforce password security policies, such as strong, unique passwords and 2FA use, Keeper helps prevent employees from entering their credentials on phishing sites. The URL of the phony Microsoft login page used in the Teams scam starts with “microsftteams,” a typo that may get past the naked eye but not past Keeper. Keeper would notify the user that there’s no match for that URL in their vault, a big red flag that they’re about to be scammed.