{"id":11395,"date":"2026-03-17T10:03:48","date_gmt":"2026-03-17T10:03:48","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/03\/17\/attackers-hijacking-legitimate-websites-to-attack-microsoft-teams-users\/"},"modified":"2026-03-17T10:03:48","modified_gmt":"2026-03-17T10:03:48","slug":"attackers-hijacking-legitimate-websites-to-attack-microsoft-teams-users","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/03\/17\/attackers-hijacking-legitimate-websites-to-attack-microsoft-teams-users\/","title":{"rendered":"Attackers Hijacking Legitimate Websites to Attack Microsoft Teams users"},"content":{"rendered":"<p>    Attackers Hijacking Legitimate Websites to Attack Microsoft Teams users<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A multi-vector phishing campaign using compromised WordPress sites to <a href=\"https:\/\/cybersecuritynews.com\/attackers-abuse-microsoft-teams-to-drop-a0backdoor\/\" target=\"_blank\" rel=\"noreferrer noopener\">steal login credentials from Microsoft Teams<\/a> and Xfinity users. By hijacking these trusted sites, attackers can bypass security filters and trick victims into disclosing sensitive information.<\/p>\n<p>The threat actors are not relying on a single method to trick their victims. Instead, they are <a href=\"https:\/\/cybersecuritynews.com\/threat-actors-attacking-fans-of-belgian-grand-prix\/\" target=\"_blank\" rel=\"noreferrer noopener\">utilizing three distinct phishing lures<\/a> designed to create a false sense of urgency:<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgScmeH7iX8DM3Vkz7-YXhtuoAxRWmD_I1ATZNoOWGCJdx6iIhdmvukYObNLMXH4h5ZSPQFBdYMz9Xy6smTQWU_aoco2X9Xdn2_dqCp0kEwlEfU6VawlyDG5G4uUOPQWG4_2v2zVQwPe0l8Y3PuqcCxN_6V0bdEyhuS6fFTVaCqDoUM0cwwOSHpcx8_7Aw\/s1600\/Screenshot%25202026-03-17%2520115404%2520%25281%2529.webp?ssl=1\" alt=\" Fake Missed Voicemail Alert( source : X post by KnowBe4 Threat Labs)\"><figcaption class=\"wp-element-caption\">Fake Missed Voicemail Alert (Source: X post by KnowBe4 Threat Labs)<\/figcaption><\/figure>\n<ul class=\"wp-block-list\">\n<li>\n<strong>Teams Voice Message:<\/strong>\u00a0An email notification claiming the user has a missed voicemail on Microsoft Teams.<\/li>\n<li>\n<strong>Shared Documents:<\/strong>\u00a0A deceptive alert stating a new document has been shared, pushing the user to click quickly to view the file.<\/li>\n<li>\n<strong>UAE Pass Spoofing:<\/strong>\u00a0A regionally targeted lure that sends fake login requests to users of the <a href=\"https:\/\/cybersecuritynews.com\/passwordless-authentication-2\/\" target=\"_blank\" rel=\"noreferrer noopener\">UAE Pass digital identity system.<\/a>\n<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"h-how-the-attack-chain-works\"><strong>How the Attack Chain Works<\/strong><\/h2>\n<p>The campaign follows a carefully planned attack chain designed to capture user credentials for downstream account takeovers:<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgOHJi7JI2Q_qEGElk6-7JU2Ous84X0agZ7ElMIDpo_A0zCfGcBCEP2Qy-nLGzDjoajSv3h7EPVvhPz3bq34qBUnXnOsNUCX6PL3nmEOGFntUKQbeLv6t5FiZ8x-QZVNYg_J5dkCa94-D5MYkW3dPDW9KyLDMtHq4Up9MCp94PZ5dTR2LihQ_Kj9HRJK_s\/s1600\/Screenshot%202026-03-17%20115420%20%281%29.web\" alt=\"UAE Pass spoofing via fake login requests( source : X post by KnowBe4 Threat Labs)\"><figcaption class=\"wp-element-caption\">UAE Pass spoofing via fake login requests (Source: X post by KnowBe4 Threat Labs)<\/figcaption><\/figure>\n<p><strong>The Hook:<\/strong>\u00a0<a href=\"https:\/\/cybersecuritynews.com\/gtfire-phishing-scheme-abuses-google-services\/\" target=\"_blank\" rel=\"noreferrer noopener\">The victim receives a phishing email<\/a>, such as a fake \u201cTeams Voice Message\u201d alert, containing a \u201cListen Now\u201d button.<\/p>\n<p><strong>The Pivot:<\/strong>\u00a0When the user clicks the link, they are secretly redirected through a tracking domain, specifically\u00a0skimresources[.]com.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgD6NSPwRzBAgz1s3I4PJ7MLDoGYJoPxQzTW0JPE_YqMrrvtxvE9hp9zc5hJb_V2ba0-4SakoL7WByrHOIAamgQYQrKamiKPKeTXl58NL79FZFLRj4C1S6M_CpAg9qklv74i0_a-DCDw5Nw1CBAtRYbIjhJAHkZvBJbhWOlutYXPNH_xKu8P9Uj4oXa_-g\/s1600\/Screenshot%25202026-03-17%2520115451%2520%25281%2529.webp?ssl=1\" alt=\"New Document Shared alert to create urgency( source : X post by KnowBe4 Threat Labs)\"><figcaption class=\"wp-element-caption\">New Document Shared alert to create urgency (Source: X post by KnowBe4 Threat Labs)<\/figcaption><\/figure>\n<\/div>\n<p><strong>The Payload:<\/strong>\u00a0The redirect ultimately lands the victim on a highly convincing, <a href=\"https:\/\/cybersecuritynews.com\/gmail-phishing-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\">pixel-perfect fake login page<\/a>. These fake pages mimic Microsoft Teams, Xfinity, or UAE Pass.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgL7HrLdC-1GUnh1mgjS5t4qJPE-wncUdSKY_pJvNH2GTyYW9SIZ_2QGuBmOX-aml5837QTvvhgEtkqfA7jZM3nZVlCdj67HsDpqV-4hh68LUNMncfVgK5Wm7NJbfC80H_to6OtvecSdEaQTLH7QGLKIh69lcRedFn5yDm9wOIvQN2O4_7drh8ZpIulgb8\/s1600\/Screenshot%25202026-03-17%2520115436%2520%25281%2529.webp?ssl=1\" alt=\"Users land on a pixel-perfect fake Xfinity login page( source : X post by KnowBe4 Threat Labs)( source : X post by KnowBe4 Threat Labs)\"><figcaption class=\"wp-element-caption\">Users land on a pixel-perfect fake Xfinity login page (Source: X post by KnowBe4 Threat Labs)<\/figcaption><\/figure>\n<\/div>\n<p><strong>The Goal:<\/strong>\u00a0Once the user enters their username and password, attackers harvest the credentials to completely take over the victim\u2019s accounts.<\/p>\n<p>A key feature of <a href=\"https:\/\/cybersecuritynews.com\/hackers-weaponizing-wordpress-websites\/\" target=\"_blank\" rel=\"noreferrer noopener\">this campaign is the abuse of legitimate WordPress websites<\/a>.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-twitter\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/s.w.org\/images\/core\/emoji\/17.0.2\/72x72\/1f6a8.png?ssl=1\" alt=\"\ud83d\udea8\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\">PHISHING ALERT: Multi-Vector Phishing via Compromised WordPress Sites <img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/s.w.org\/images\/core\/emoji\/17.0.2\/72x72\/1f6a8.png?ssl=1\" alt=\"\ud83d\udea8\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\"><\/p>\n<p>KnowBe4 Threat Labs is tracking an active campaign leveraging compromised WordPress infrastructure to host a suite of phishing pages targeting Microsoft Teams users and Xfinity credentials.<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/s.w.org\/images\/core\/emoji\/17.0.2\/72x72\/1f6e1.png?ssl=1\" alt=\"\ud83d\udee1\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\"> The Attack\u2026 <a href=\"https:\/\/t.co\/XC3CMUkTBN\">pic.twitter.com\/XC3CMUkTBN<\/a><\/p>\n<p>\u2014 KB4ThreatLabs (@Kb4Threatlabs) <a href=\"https:\/\/twitter.com\/Kb4Threatlabs\/status\/2033540324484854152?ref_src=twsrc%5Etfw\">March 16, 2026<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/div>\n<\/figure>\n<p>The attackers are hacking into poorly secured sites and <a href=\"https:\/\/cybersecuritynews.com\/threat-actors-attacking-ics-computers\/\" target=\"_blank\" rel=\"noreferrer noopener\">hiding their malicious phishing pages<\/a> deep within standard system folders.<\/p>\n<p>By placing their fake login pages in core directories like\u00a0\/wp-includes\/\u00a0or\u00a0\/bin\/, the attackers can hide in plain sight, avoiding immediate detection by website owners and automated security scanners.<\/p>\n<p>Security teams and network administrators should block the following compromised domains and file paths associated with this campaign:<\/p>\n<ul class=\"wp-block-list\">\n<li><code>crsons[.]net\/wp-includes\/js\/tinymce\/~<\/code><\/li>\n<li><code>crsons[.]net\/wp-includes\/cgi\/UAE%20PASS.htm<\/code><\/li>\n<li><code>afghantarin[.]com\/afghantarin\/admin\/waitme\/~<\/code><\/li>\n<li><code>medinex[.]in\/includes\/bin\/index[.]php<\/code><\/li>\n<li><code>cabinetzeukeng[.]net\/config\/[.]bin\/voicemail<\/code><\/li>\n<li><code>rnedinex[.]com<\/code><\/li>\n<\/ul>\n<p>To protect against this threat, organizations should train employees to carefully verify email senders and hover over links before clicking, especially when receiving unexpected voicemails or document alerts.<\/p>\n<p>Additionally, website administrators must ensure their WordPress installations, themes, and plugins are fully updated to prevent their infrastructure from being weaponized.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/hijacking-websites-microsoft-teams-users\/\">Attackers Hijacking Legitimate Websites to Attack Microsoft Teams users<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/hijacking-websites-microsoft-teams-users\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Attackers Hijacking Legitimate Websites to Attack Microsoft Teams users A multi-vector phishing campaign using compromised WordPress sites to steal login credentials from Microsoft Teams and Xfinity users. By hijacking these trusted sites, attackers can bypass security filters and trick victims into disclosing sensitive information. The threat actors are not relying on a single method to [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,158,124,593],"tags":[130],"class_list":["post-11395","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-microsoft","category-phishing","category-wordpress","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11395"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=11395"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11395\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=11395"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=11395"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=11395"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}