Google has just issued a warning about a new cybercrime group using call invitations on Microsoft Teams combined with fake technical support (helpdesk) notifications to steal login information and install malware.
According to Google's Threat Intelligence Group (GTIG), a hacker group called UNC6692 launched a large-scale attack campaign with sophisticated tactics, targeting businesses through the form of "preemptive strikes" by spam.
Specifically, the subjects first send a large amount of spam emails to employees in the business, causing the mailbox to be overloaded. In a state of confusion due to continuously receiving unusual emails, users easily lose vigilance. Immediately after that, the attacker will impersonate an IT employee, actively contact Microsoft Teams and request support to handle the incident.
Believing that this was an internal department, many people followed the instructions. Users were asked to click on a link introduced as a tool to fix email errors. However, this link led to a fake website called "Mailbox Repair Utility", designed like a system check tool.
After being asked for email login information, the fake system will intentionally report errors in the first entries, requesting re-entry. This trick makes users believe that they are operating incorrectly, while in reality login information has been collected.
According to the warning, all of this data is then transferred to the server controlled by hackers through the Amazon Web Services S3 service. At the same time, malicious files are also silently downloaded to the device. When the screen displays the message "completed", the system has actually been compromised.
After initially gaining access, hackers continue to install more tools to maintain long-term control. These software allow them to monitor activities, remotely execute commands, and even take screenshots or steal important data without users knowing.
Experts say that this is a "social technology" attack, taking advantage of human psychology and habits, instead of just exploiting technical loopholes.
Previously, Microsoft also recorded similar scams through the Teams platform, with tricks of impersonating technical support departments.
Network security experts recommend that users should be especially wary of requests to provide login information, even when coming from familiar channels in work.
