Attackers Hijacking Legitimate Websites to Attack Microsoft Teams users

A phishing campaign with multiple vectors that uses hacked WordPress sites to steal Microsoft Teams and Xfinity login information This article explores phishing sends fake. . Attackers can get around security filters and get victims to give up sensitive information by taking over these trusted sites.

The people who are threatening are not using just one way to trick their victims. Instead, they are using three different phishing lures that make people feel like they need to act right away: Voicemail that isn't real Warning (Source: X post by KnowBe4 Threat Labs) Teams Voice Message: An email that says the user has a voicemail that they missed on Microsoft Teams. Shared Documents: A fake alert that says a new document has been shared and urges the user to click quickly to see it.

UAE Pass Spoofing is a type of phishing that sends fake login requests to people who use the UAE Pass digital identity system. How the Attack Chain Works The campaign follows a carefully planned attack chain that is meant to steal user credentials so that accounts can be taken over later: Fake login requests can be used to spoof UAE Pass (Source: X post by KnowBe4 Threat Labs) The Hook: The victim gets a fake "Teams Voice Message" email with a "Listen Now" button that tries to trick them into clicking on it. The Pivot: When the user clicks the link, they are secretly sent to a tracking domain, which is skimresources[.

]com.

New File Shared alert to make people feel like they need to act quickly (Source: X post by KnowBe4 Threat Labs) The Payload: The redirect takes the victim to a fake login page that looks and works exactly like the real thing. These fake pages look like Microsoft Teams, Xfinity, or UAE Pass. Users go to a fake Xfinity login page that looks exactly like the real thing (Source: X post by KnowBe4 Threat Labs) The Goal: Once the user types in their username and password, attackers can steal the information and take control of the victim's accounts.

Using real WordPress sites for bad things is a big part of this campaign. The attackers are breaking into sites that aren't very secure and hiding their malicious phishing pages deep inside standard system folders.

Attackers can hide in plain sight by putting their fake login pages in core directories like /wp-includes/ or /bin/. This keeps website owners and automated security scanners from finding them right away. Network administrators and security teams should block the following compromised domains and file paths that are part of this campaign: crsons[.

]net/wp-includes/js/tinymce/~ crsons[. ]net/wp-includes/cgi/UAE%20PASS.htm afghantarin[. ]com/afghantarin/admin/waitme/~ medinex[.]in/includes/bin/index[. ]php cabinetzeukeng[.]net/config/[.

]bin/voicemail rnedinex[. ]com To protect against this threat, companies should teach their workers to double-check who sent them an email and hover over links before clicking, especially when they get voicemails or document alerts that they weren't expecting. Website owners must also make sure that their WordPress installations, themes, and plugins are all up to date so that hackers can't use them against them. Follow us on LinkedIn and X for daily cybersecurity updates.

Get in touch with us to have your stories featured.