- Attackers use compromised GMX Mail accounts to send fake Microsoft Teams invitations with OAuth traps
- Victims who authorize malicious Azure web application grant access to emails, files, and persistent account control
- Abnormal AI calls for vigilance: check senders, inspect links, and be wary of urgent meeting requests
Scammers are sending their victims fake Microsoft Teams meeting invitations in an attempt to steal login credentials and gain persistent access to the entire Microsoft 365 ecosystem, experts have warned.
Cybersecurity experts at Abnormal AI said they recently observed the campaign in the wild. It starts with a compromised GMX Mail account. It is a free consumer email service from Germany that allows users to create up to ten sender addresses from a single account.
Compromised accounts are used to send fraudulent emails, pretending to be from a company’s HR department, which are designed to look like automated notification emails, branded as Teams.
Phishing for access
The usual themes are:
A great “Join Meeting Now” call-to-action link
A meeting ID and password section
A fake “Organizer” section designed to reflect authentic Teams invitations
If the victim takes the bait and clicks on the provided link, they will be redirected to a compromised Azure web application that asks the visitor to create an OAuth authorization and grant permissions to the Microsoft account. The scammers tried to hide the fact that it is a web application by calling it “Please RSVP – meeting request.”
Granting access to this malicious web application gives it necessary permissions to log in, read profile, maintain access even after changing password, access emails and messaging data, send emails, steal files, etc.
Researchers believe GMX was chosen for this particular feature because it allows attackers to easily change identities without setting up new infrastructure, thereby reducing the time needed to prepare for the attack.
Another reason why GMX could have been chosen is the fact that messages successfully pass SPF, DKIM, and DMARC validation and end up in users’ inboxes. For Abnormal, this is an “unusual level” of technical legitimacy.
The best way to defend against phishing is simply to think before you click: check the sender’s email address, hover over links to spot shady redirects, and be wary of emails with a high sense of urgency.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
