- Attackers use compromised GMX Mail accounts to send fake Microsoft Teams invites with OAuth traps
- Victims who authorize the malicious Azure Web App provide access to email, files, and persistent account control
- Abnormal AI calls for vigilance: verify senders, inspect links, and watch out for urgent meeting requests
Scammers are sending fake Microsoft Teams meeting invitations to victims in an attempt to steal login credentials and gain persistent access across the Microsoft 365 ecosystem, experts have warned.
Cybersecurity experts from Abnormal AI said they recently observed the campaign in the wild. It starts with a compromised GMX Mail account. This is a free consumer email service from Germany that allows users to create up to ten sender addresses from a single account.
The compromised accounts are used to send fraudulent emails pretending to come from a company’s HR department, which are designed to look like automated notification emails bearing the Teams branding.
Phishing for access
The usual themes are:
A big “Join the meeting now” link to action
A meeting ID and password section
A fake “Organizer” section designed to mirror authentic Teams invites
If the victim takes the bait and clicks on the provided link, they will be redirected to a compromised Azure Web App that asks the visitor to perform an OAuth authentication and grant permissions to the Microsoft account. The scammers tried to mask the fact that this is a web app by giving it the title “Please confirm attendance – meeting request”.
Granting this malicious web app access allows it to login, read profile, maintain access even after password is changed, access emails and email data, send emails, steal files and more.
The researchers believe that GMX was chosen for this particular feature as it allows attackers to easily rotate identities without creating new infrastructure, cutting down on the time needed to prepare the attack.
Another reason why GMX may have been chosen is the fact that the messages successfully pass SPF, DKIM and DMARC validation and end up in people’s inboxes. For Abnormal, this is an “unusual level” of technical legitimacy.
The best way to defend against phishing is to simply think before you click – check the sender’s email address, hover over links to spot unwanted redirects, and be wary of emails with a high sense of urgency.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
