A first of its kind attack entered our inboxes this week. A bad actor sent an urgent request to “follow up” with a Management Team by clicking on a long complex link. They’d hoped the recipient would assume the link was to a legitimate Microsoft Teams room.
They didn’t go out of their way on this one, except to add our domain name to the “To” field. The obvious signs that this is a phish include the long/bogus alias and domain name, the poor language, and some mal-formatting, and the target URLs. But it’s proof that yet another variation on the theme exists.
Either way, the safest thing to do is advise users to be diligent, and manually navigate to a Team if there’s a message truly ‘pending’ for them in Teams. If that’s indeed the case, there will be an email saying “<<Teammate>> mentioned you in <<Team Name>>, or “<<Teammate>> sent you a message in Microsoft Teams.”
The sending domain sv120.wadax.ne.jp and the target URL Fillmatic.co.jp can be added to your blacklists if you’re keeping score.
Have you seen this in your organization, and if so, do you use Teams? It’d be a bit scary if they’ve specifically targeted organizations that use Teams (which we do).