Owner security

Attackers use Microsoft Teams as a launching pad for malware

Hackers are starting to realize that Microsoft Teams is a great way to spread tentacles into an organization’s systems; Since the beginning of the year, Avanan has seen more and more hackers dropping malware into Teams conversations.

“We’ve seen thousands of attacks per month in our user base,” Jeremy Fuchs, cybersecurity research analyst at Avanan, told Help Net Security.

Ongoing attacks

As seen by Avanan, this iteration of this specific attack involves attackers attaching .exe files to Teams chats. The file name is currently UserCentric.exebut that can be easily changed to another generic, innocuous-sounding label.

Once downloaded and run, the executable writes data to the Windows Registry, installs DLL files, and creates shortcut links that allow the program to administer itself. In effect, this allows attackers to take control of the victim’s computer. This too

In order to use this avenue of attack, hackers need to take control of a Microsoft Teams account. Since most business editions of Microsoft 365 include Teams, compromising Microsoft 365 credentials – either through phishing or buying compromised credentials on the dark web – is the answer.

Additionally, as Fuchs notes, attackers can compromise a partner organization and eavesdrop on cross-organizational discussions, or compromise an email address and use it to access Teams.

Microsoft Teams as the perfect way to spread malware

Many things make this type of attack possible. The malware apparently has virtualization/sandbox evasion capabilities. Scanning for malicious links and files is limited in Microsoft Teams, Fuchs says, and many third-party security solutions aren’t very good at Teams-specific protection.

On top of that, while most employees have now learned to guess identities in email, they still have an inherent trust in identities on Teams.

“For example, an Avanan analysis of hospitals that use Teams found that doctors share patient medical information with virtually no limits on the Teams platform. Medical staff are generally aware of the security rules and risks of sharing information via email, but are unaware of them when it comes to Teams. In their minds, anything can be sent to Teams,” Fucks explained.

“Additionally, almost all users can invite people from other departments and there is often minimal oversight when invitations are sent or received from other businesses. Due to unfamiliarity with the Teams platform, many will just trust and approve requests. Within an organization, a user can very easily impersonate someone else, whether it’s the CEO, the CFO, or the IT help desk.