Security researchers alert that some attackers are exploiting Microsoft Teams accounts to enter into discussions and transmit malicious executables to other users. Every month, over 270 million users rely on Microsoft Teams, with many of them blindly trusting the platform despite the lack of anti-malware measures.
According to researchers at Avanan, a Check Point business that secures cloud email and collaboration services, hackers began dropping dangerous executable files in talks on the Microsoft Teams communication network. In attacks that started in January, the threat actor inserts a file called “User Centric” into a chat to trick the user into running it. The malware publishes data to the system registry, installs DLLs, and creates persistence on the Windows PC once it has been executed.
“In this Teams attack, hackers have attached a malicious Trojan document to a chat thread. When clicked on, the file will eventually take over the user’s computer.” – Avanan.
The method applied to obtain access to Teams accounts is unknown. However, it might involve phishing for email or Microsoft 365 credentials or compromising a partner business. The automatic evaluation of the malware deployed this way reveals that the trojan can create persistence using Windows Registry Run keys or adding an item in the start-up folder.
It also gathers thorough information on the operating system and the hardware on which it runs, as well as the machine’s security status depending on the OS version and patches installed. According to Avanan experts, the attack is simple, but it might be quite effective because many users trust files sent through Teams. The company evaluated data from Teams-enabled institutions and discovered that doctors freely communicate medical information on the platform.
Individuals are usually wary of information received by email, but because of email phishing awareness training, they are not careful of files received via Teams. Additionally, Teams allows for guest and external access, allowing for collaboration with persons outside the corporation. Avanan says that these invites are frequently met with little monitoring.
“Because of the unfamiliarity with the Teams platform, many will just trust and approve the requests. Within an organization, a user can very easily pretend to be someone else, whether it’s the CEO, CFO or IT help desk” – Avanan
According to the researchers, “the fact that default Teams protections are lacking, as scanning for malicious links and files is limited” and “many email security solutions do not offer robust protection for Teams.” To counter such attacks, Avanan suggests the following:
- Implement a security solution that scans all files in a sandbox for malicious content.
- Secure all lines of company communication, including Teams, with a comprehensive, full-suite security solution.
- Encourage end-users to contact IT if they see an unexpected file.