I’ve been seeing different flavors of this attack happening within my customers. The most common is email bombing a target (they just find their email and subscribe them to tons of junk senders). Then the attacker opens up a team chat acting as IT support. During the support session, they ask to install screen share software or some other troubleshooting tool which is really malware. Hence, this is a form of phishing with a specific targeted message.
The challenge is defense. This is not an email security problem since the messages are not malicious. They typically are just junk mail. The challenge is the attacker joining a teams chat posing as tech support. There is a difference in appearance with teams Priemer and none Priemer subscribers, which Priemer subscribes could look like a internal resource. One defense is to not allow outside massagers by default but some businesses need to allow B2B communication.
Defense in depth is always going to be the best approach taking into consideration the phishing part of the attack, the reputation defense looking at any links shared (is this link going to a known malicious source), the endpoint defense evaluating what is being installed, the insider risk aspects about new remote connections, XDR looking across everything etc etc etc.
I saw this post about this type of attack HERE. I like their list of indicators that this attack is happening
- Unexpected or Unusual Requests: Be wary of messages asking for immediate action, sensitive information like passwords or financial details, or requests to bypass standard procedures.
- Suspicious Sender Information: Carefully examine the sender’s name and email address. Look for subtle misspellings, unusual domains, or display names that don’t match the actual email address.
- Poor Grammar and Spelling: While not always the case, phishing messages often contain grammatical errors and typos.
- Urgency and Pressure: Attackers often create a sense of urgency to prevent recipients from thinking critically. Be suspicious of messages demanding immediate action or threatening negative consequences.
- Unfamiliar Attachments or Links: Avoid clicking on links or downloading attachments from unknown or suspicious senders. Hover over links before clicking to preview the actual URL.
- Out-of-Band Verification: If you receive a suspicious request from a known contact, verify its legitimacy through a separate communication channel (e.g., a phone call) before taking any action.
Check out that post for more info about this type of attack and defense in depth approaches to reduce the risk of compromise.