If you dread a Microsoft Teams invite, just wait until it turns out to be a Russian phish Digital thieves – quite possibly Kremlin-linked baddies – have been emailing out bogus Microsoft Teams meeting invites to trick victims in key government and business sectors into handing over their authentication tokens, granting access to emails, cloud data, and other sensitive information. According to Microsoft this week, …
Alternatively , some other low IQ people are employed to write comments on El Reg that have nothing to do with the article in question. It makes them look stupid and brings the level of the articles down to meaningless.
This is an interesting article but some prefer to hijack the articles to blurt out nonsense based upon their political bias. Truly very low level trolls..
Have at least a modicum of respect for the writer of the article that took the time and effort to provide something educative. ( In some articles the El Reg writers do push political bias but this was not one of them).
Now in the words of many great Scotsmen, Fuck Off..
Bit unfair to the OP given the daily/minutely anti Musk/Trump spewing in these comment sections even on unrelated stories.
(the # eyes are getting direct access without the need for this effort :))
>The tech giant also argued the above technique does "not reflect an attack unique to Microsoft nor have we found any vulnerabilities in our code base enabling this activity."
Protocol / design flaw then?
https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-authentication-flows
BYOD not helping. Tricky one if you allow PC<-> Non corp mobile. What a time to be alive.
"falsely posing as a prominent person relevant to the target."
But they gain the victim's trust by obtaining a device verification code from Microsoft. The victim (incorrectly) assumes that Microsoft has authenticated the attacker as this "prominent person".
Come on, folks. How do you know that Microsoft's authentication comes anywhere close to the security requirements of your organization? In these cases, it appears to be nowhere near customer expectations. And worse yet, all of this stuff has been worked out, even pre Internet. With various recognition procedures and codes to gain access to classified, compartmentalized projects.
I've been asked to attend several meetings like that by various colleagues.
They're sales meetings where some third party is trying to convince us to buy subscribe to their product. My task is to take disinterested notes and ask technical questions to determine whether it's likely to be valuable to us.
Spoiler: It very rarely is. In the majority of cases where a saving is claimed, it was less than the salary cost of us attending that one meeting.
This is the real world. You get the invitation from someone you know, but is from another company. Someone you deal with on a regular base. All you have to do is to perfecty-fake a new invitation. And since some email clients (look out!) only show the "Friendly Name" instead of prominently the email address you may have no chance to notice. And even if you can see the email address: "@customer.com" and "@custorner.com" look pretty similar since we live in a time were "beauty of the font" is more important than readability.
Or in short: You underestimate the reality, until it hits you and makes you humble.
Not my world. My job sees me turn up as a stranger in companies. Once the scope's sorted out I I ask the boss to put out a broadcast about who I am and what I'm doing but even then, no one will get a meeting invitation from me before I talk to them either in person or on the phone. Ditto the other way round - if you invite me to a meeting and don't talk to me first then I'll talk to you to find out what it's about before hitting accept. Most of the people I work with are like that - it's not security, it's good manners.
I'm honestly astonished that anyone would accept an invitation to a meeting without knowing why they are there and who they will be talking to. I guess that when you've got a hundred social-media friends that you've never met then going to a meeting with a stranger is business as usual.
"I'm honestly astonished that anyone would accept an invitation to a meeting without knowing why they are there and who they will be talking to. I guess that when you've got a hundred social-media friends that you've never met then going to a meeting with a stranger is business as usual."
Far more than 50% of people are below average. All that has to happen is you once fail to join a meeting that a superior wanted you in that you stop being as critical of the invites no matter how off they seem. Just look at Paypal. I was forever complaining at them about the emails they would send out with loads of embedded links that looked exactly like the phishing emails I received. The solution to that was to only send the information and ask people to log into their account by typing in the URL (it's really easy to remember) and reading the latest news posts. This way people wont get fooled by a URL from PayPa1 or paypal.scammer.XXX.
Far more than 50% of people are below average.
Mean, median, or mode? Because if you're using the usual form of "average" to mean mean, then exactly 50% of people are below average, because by average you mean mean, and if you mean mean then it's the middle precisely. However, if you mean median or mean mode rather than meaning mean, then your meaning becomes clear.
"If I've understood this correctly, I get an invitation from someone I don't know to a meeting I'm not expecting and I blithely set apart time in my busy day to attend it. Is this really what people do at work?"
I expect it would have to do with the size of the organization and if there are calls to join a meeting outside of your group from time to time. You may not know everybody working for the company and a phish that's plausible enough could work. Given the ever diminishing adherence to proper grammar, even something that's particularly awkward might still be accepted as genuine. It used to be a dead give-away on phishing emails when they read like the instructions you get from cheap imported tat you buy on Amazon. For examples, tune into Big Clives YT channel.
Thank bog I'm away from all of the corporate muck at this stage of my life and never going back. Zoom, Teams, scrums and agile can go and jump in a lake.
I mean, look at that stuff... some url with a=G78g/(G/gvbu9gh32&b=87678&G/(z7(SFz78 transferred, combined with a z7n(Zhn89h0juioh cookie on your device, over HTTP without "S" in too many cases or mail... Allowing login for 30 days since the TGT is valid for 30 days, in the end stored unencrypted on your drive 'cause it HAS to be unlocked for you to work.
The previous Active Directory method was better, not only that the validity of those tokens was shorter, it was all in a network somewhat separated from the internet, and not just an URL encoding + a plain browser cookie but a somewhat protected (+extra encrypted) storage area of the OS. But they had to "expand" it "a bit" to "open up new possibilities" - with not much regards of security, obviously. And MFA is a bit like a bodge-fix for a part of the side effects, not all, that those changes entailed. Maybe a third factor? A second FIDO or token device to store the local cookie on? "Secure" TPM 3.0?
I can already see the news: TPM 3.0 storage chip worn out, all data lost, 'cause flash storage which can be overwritten more often costs 1 cent more. (hold it, wasn't there a Tesla problem of that type?)
Teams forcibly installed the "new" version when I opened the "classic" version of the app before then locking everything up until I started using the new version, which is seemingly always broken in some manner and lags like hell even on a powerful PC.
As if that behaviour wasn't enough like malware, it now provides an excellent vector for the ne'er-do-wells to fuck over an organisation. You genuinely couldn't make it up.
And just what exactly is the small business administration n supposed to do with this? Block a flow somehow? They don’t have full time sysadmins with deep MS knowledge and training, so this’ll be yet another hole in the attack surface for them,
Along with having to give users admin rights because MS are too tight to bundle Software Centre with 365 Business Premium and unless you’re with your staff all the time you have to cut them some slack, and just hope nothing untoward happens.
By the way, MS; whose bright idea was it NOT to bundle Teams app updates along with other Office updates? Hmm?
By the way, MS; whose bright idea was it NOT to bundle Teams app updates along with other Office updates? Hmm?
You can partially blame the EU for forcing M$ to unbundle Teams from M365 subscriptions, plus the fact that as a home user you can install Teams without having the office suite present (if you do all your work in M365 cloud), plus plus you can use the same version of Teams with different versions of office suite, plus plus plus the new teams is just an Electron app pointing at a webpage so why have all the Office infrastructure behind it?
Once again: most people do not understand what URL is. Including gov workers. They only understand what clickable text is. They would click anything sent to them from a "trusted source". (Here is the 1st obvious red flag by accepting random contacts in Whatsapp etc)
But the main issue is that a user had to click on a phishing link. Instead a properly trained person must go directly to Microsoft Teams and search for the invitation there. Besides a non SMS-based MFA is a must.
Big internet companies themselves should stop sending URLs via email etc, instead promoting case-numbers as plain text, which a user must copy/paste into their well known official web-sites to be redirected to a specific issue or service. The same applies to banks etc when they contact your over the phone: they could simply tell you a numeric case number and hang up. The case number should be enough to link or reconnect via official channels.
The article reads as gibberish, including versions on other sites and Microsoft itself. Only rare security experts could decipher which actionable actions could be taken and what is important.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
