Latest news with #Storm-1811
BusinessToday
21-04-2025
- Business
- BusinessToday
Microsoft Thwarts US$4 Billion In Fraud Attempts As AI-Driven Scams Surge
Microsoft said it blocked nearly US$4 billion in fraud attempts between April 2024 and April 2025, highlighting the scale and sophistication of cybercrime threats amid a global rise in AI-powered scams. According to the latest Cyber Signals report, Microsoft rejected 49,000 fraudulent partner enrolments and prevented approximately 1.6 million bot sign-up attempts per hour, as AI tools continue to lower the barrier for cybercriminals. Generative AI tools are now used to craft convincing fake websites, job scams, and phishing campaigns with deepfakes and cloned voices. Microsoft observed a growing trend of AI-assisted scams originating from regions like China and Germany, where digital marketplaces are most active. Threat actors are now able to build fraudulent e-commerce websites and customer service bots in minutes, leveraging AI-generated content to mislead consumers into trusting fake storefronts and reviews. These deceptive practices have become increasingly difficult to detect. Microsoft's multi-layered response includes domain impersonation protection, scareware blockers, typo protection, and fake job detection systems across Microsoft Edge, LinkedIn, and other platforms. Windows Quick Assist has also been enhanced with in-product warnings and fraud detection. The tool now blocks over 4,400 suspicious connection attempts daily, thanks to Digital Fingerprinting and AI-driven risk signals. Scammers continue to exploit job seekers by generating fake listings, AI-written interviews, and phishing campaigns. Microsoft recommends job platforms enforce multifactor authentication and monitor deepfake-generated interviews to mitigate risks. Meanwhile, groups like Storm-1811 have impersonated IT support via Windows Quick Assist, gaining unauthorised device access without using AI. Microsoft has since strengthened safeguards and suspended accounts linked to such abuse. As part of its Secure Future Initiative, Microsoft introduced a new policy in January 2025 requiring all product teams to perform fraud risk assessments during the design phase. The goal is to embed security measures directly into the architecture of products and services. Corporate Vice-President of Anti-Fraud and Product Abuse, Kelly Bissell, said Microsoft's defence strategy relies not only on technology but also public education and industry collaboration. Microsoft is working closely with global enforcement agencies through the Global Anti-Scam Alliance (GASA) to dismantle criminal infrastructures. 'Cybercrime is a trillion-dollar problem. AI gives us the ability to respond faster, but it also requires all of us—tech firms, regulators, and users—to work together,' said Bissell. To stay protected, consumers are advised to: Verify job listings and company legitimacy. Avoid unsolicited offers via text or personal emails. Be wary of websites offering 'too good to be true' deals. Use browsers with fraud protection and never share personal or financial information with unverified sources. Related
Forbes
01-04-2025
- Forbes
Microsoft Teams Users Exploited In Sophisticated Multi-Stage AI Attack
Microsoft Teams used in sophisticated hack attack. Phishing attacks are getting increasingly sophisticated, from the use of smartphone farms to launch attacks, to hard to detect AI-driven threats, to the use of legitimate Microsoft 365 emails to bypass security controls. But the phishing attack is only the first stage of the process, as this multi-level hack attack targeting Microsoft Teams users demonstrates only too well. Signed, side loaded and compromised. That's how security researchers at the Ontinue Cyber Defence Centre have described a sophisticated multi-stage attack that starts with a Microsoft Teams message delving a malicious PowerShell payload, and, by way of remote access tooling and living off the land binaries, gains initial access and the persistence through a JavaScript-based backdoor on victim devices. 'This attack chain highlights how a relatively simple vishing-based social engineering tactic can escalate into a full-scale compromise when paired with trusted tooling, signed binaries, and stealthy second-stage payloads,' the researchers warned. Although the Ontinue researchers were unable to attribute the attacks with a high-level of confidence, they did find a number of striking similarities with a threat actor identified by Microsoft as Storm-1811. The full technical details can be found in the report, but the researchers found that the attack started with the threat actors sending a message by way of Microsoft Teams creating an external chat. 'The actor transmitted a PowerShell command directly via the Teams message,' Ontinue said, 'and also utilised the QuickAssist remote tool to gain access to the target device remotely.' The root cause of the incident was a video messaging attack, something that I have already reported is surging with an increase of 1633% in quarter one of 2025 alone. 'This attack chain highlights how a relatively simple vishing-based social engineering tactic can escalate into a full-scale compromise when paired with trusted tooling, signed binaries, and stealthy second-stage payloads,' Ontinue concluded. I have reached out to Microsoft for a statement. J Stephen Kowski, field chief technology officer at SlashNext Email Security+, said that real-time scanning across all communication channels, not just email, is essential since these attacks often start with social engineering before deploying malicious tools, such as sideloaded DLLs. 'Advanced protection that combines computer vision, natural language processing, and behavioral analysis can identify these sophisticated attacks even when they use legitimate-looking tools or QR codes,' Kowski concluded. 'The attacker sideloaded a malicious DLL that dynamically commandeered a trusted process, transforming routine remote support into a covert entry point,' Jason Soroko, a senior fellow at Sectigo, said. Calling every move made by the threat actor 'lean,' Soroko advised that security teams should be on the lookout for 'Microsoft Teams messages containing PowerShell commands, unexpected use of QuickAssist, and signed binaries running from nonstandard locations.'
