Microsoft Teams: Quick Look on the Phishing Attacks by Hackers

In the digital age, cyber threats are evolving at an alarming rate. One such threat that has recently come to light involves hackers using Microsoft Teams for phishing attacks to spread malware. This article aims to provide a detailed overview of this issue, including the methods employed by the hackers, examples of such attacks, and measures to prevent them.

The Microsoft Teams Threat Landscape

Cybercriminals are leveraging Microsoft Teams, a popular business communication and video conferencing platform, for a new malware campaign. They use group chat requests to push DarkGate malware payloads. The attackers may have exploited a compromised Teams user to send over 1,000 malicious invites. Once installed, the malware contacts its command-and-control server, identified as part of the DarkGate infrastructure.

How the Attacks are Carried Out

The attackers use a variety of methods to carry out these attacks. For instance, they drop executable files into Teams conversations to infect a victim’s device with Trojans. The attackers gain access by hacking into a user’s email account or by using stolen Microsoft 365 credentials. Once inside, they can bypass protections and access various systems.

In another example, a hacker posed as a CEO who was traveling to China. The hacker sent a WhatsApp message to relevant employees, inviting them to join a Teams meeting. In the meeting, the employees saw what they thought was the CEO over the webcam (actually made with video footage from a past TV interview). As there was no audio, the fake CEO asked that — due to a bad connection — employees instead send him the requested information on a SharePoint link, which he then dropped into the chat.

What to Watch Out For

DarkGate has various capabilities, including a Virtual Network Computing (VNC), Windows Defender bypass tools, a browser history theft tool, a reverse proxy, a file manager, and a Discord token stealer. Therefore, users should be vigilant about any unfamiliar file deliveries or surprising lines of communication.

Preventive Measures

To defend against such attacks, organizations are advised to install protection that inspects all incoming files and secures all communication suites, including Microsoft Teams. Users can add an extra layer of protection to their devices today with solutions like Trend Micro Maximum Security.

Microsoft also provides several preventive measures. For instance, Safe Links in Defender for Office 365 scans URLs at the time of click to ensure that users are protected with the latest intelligence from Microsoft Defender. Organizations with Microsoft Defender for Office 365 can further protect Microsoft Teams users from malicious phishing attacks.

Moreover, organizations are advised to restrict channel email messages to approved domains, configure meeting settings to restrict presenters, and limit domains for external access. It is also advisable for most companies to disable External Access in Microsoft Teams unless absolutely necessary for daily business use.

Kaspersky Report on the Microsoft Teams Issue

According to a report by AT&T Cybersecurity research, hackers are using Microsoft Teams group chat requests as new phishing attacks to push malicious attachments that can install DarkGate malware payloads on victims’ systems. The report claims that once the malware is installed on a victim’s system, it will reach out to its command-and-control server. This server has already been identified as part of DarkGate malware infrastructure by Palo Alto Networks.

The hackers were able to push this phishing campaign as Microsoft allows Teams users to message other users by default. AT&T Cybersecurity network security engineer Peter Boyle has warned: “Unless absolutely necessary for daily business use, disabling External Access in Microsoft Teams is advisable for most companies, as email is generally a more secure and more closely monitored communication channel.”

Microsoft’s Statement on the Microsoft Teams Issue

Microsoft has acknowledged the issue and has taken steps to address it. In a blog post, Microsoft Threat Intelligence identified highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard.

Microsoft has mitigated the actor from using the domains and continues to investigate this activity and work to remediate the impact of the attack. As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.

In addition, Microsoft has promised to roll out new — but unspecified — anti-phishing defenses for Teams users. They have also released a Jupyter Notebook, written using MSTICPy, their open-source cybersecurity toolkit to help conduct investigations.

Microsoft Teams users can now be protected from malicious link-based phishing attacks using the power of Safe Links in Microsoft Defender for Office 365. Safe Links provides protection against the sharing of malicious links.

Conclusion

In conclusion, both Kaspersky and Microsoft have acknowledged the issue and are taking steps to address it. Users are advised to stay vigilant and follow the recommended security practices to protect themselves from such attacks.

As the use of collaboration tools like Microsoft Teams continues to grow, so does the risk of cyber threats. It is crucial for organizations to stay informed about these threats and take appropriate measures to protect their systems and data. By being vigilant and implementing robust security measures, organizations can significantly reduce their risk of falling victim to such attacks.

---

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.