Home About Courses Live Batches Private Sessions Labs Cyber Bulletin Verify Contact

Login

Attackers Hijacking Legitimate Websites to Target Microsoft Teams Users

Published on: March 17, 2026

Share:
Attackers Hijacking Legitimate Websites to Target Microsoft Teams Users

Overview:

Security researchers from KnowBe4 Threat Labs have identified a large-scale phishing campaign where attackers compromise legitimate websites and use them to steal user credentials.

Instead of using fake domains, attackers inject phishing pages into trusted WordPress websites, making the attack harder to detect. The campaign mainly targets users of Microsoft Teams, along with Xfinity and UAE Pass users.

 

Who It Impacts:

  • Organizations using Microsoft Teams
  • Users of Xfinity services
  • UAE-based users using UAE Pass
  • Enterprises relying on email and collaboration platforms
  • Any users who click links from emails or messages

 

How It Impacts:

1. The Hook - Victim receives a phishing email (e.g., Teams voicemail alert or shared document)

2. The Pivot - Clicking the link redirects through a tracking domain:

  • skimresources[.]com

3. The Payload - Victim lands on a fake login page

Pages mimic:

  • Microsoft Teams
  • Xfinity
  • UAE Pass

These pages are hosted on compromised WordPress websites

4. The Goal - Credentials are stolen instantly

Attackers can:

  • Take over accounts
  • Access corporate systems
  • Perform further attacks

 

Social Engineering Lures:

Attackers use convincing messages to trick users:

  • Teams Voicemail Alerts

    “You missed a voicemail – Click ‘Listen Now’”

  • Shared Document Notifications

    Urgent request to review a document

  • UAE Pass Spoofing

    Fake login prompts targeting UAE users

 

These messages appear legitimate and create urgency, increasing the chance of clicks.

 

Evasion Techniques:

Attackers hide malicious content inside normal website directories such as:

  • /wp-includes/
  • /bin/
  • /config/

 

This allows them to Blend in with legitimate files, Bypass security tools, Abuse trust in real websites

 

Indicators of Compromise (IOCs):

Malicious URLs / Domains:

  • crsons[.]net/wp-includes/js/tinymce/~
  • crsons[.]net/wp-includes/cgi/UAE%20PASS.htm
  • afghantarin[.]com/afghantarin/admin/waitme/~
  • medinex[.]in/includes/bin/index[.]php
  • cabinetzeukeng[.]net/config/[.]bin/voicemail
  • rnedinex[.]com

 

Recommendations:

  • Please check and block the IOCs (Domains & URLs) at organizational level
  • Enforce Conditional Access for Microsoft Teams
  • Please check and enable Multi-Factor Authentication (MFA)
  • Educate users to verify links carefully, even from trusted domains

Reference Links:

 


 

← Back to all bulletins