Skip to main content

Not-So-Harmless Chats — MS Teams Used To Distribute Malware

Why Inherent Trust Of Microsoft Teams Isn’t Such A Great Idea!

May 19, 2022

By Rodman Ramezanian - Enterprise Cloud Security Advisor

According to reporting from Bleeping Computer, threat actors are ramping up their efforts against Microsoft Teams for malware distribution by planting malicious documents in chat threads, ultimately resulting in victims executing Trojans that hijack their corporate systems.

Traditionally, hackers have focused their targets on Microsoft’s universal document and sharing suites – Office and its cloud-based Office 365 – with attacks against individual apps, such as Word, Excel, and others.

Now, thanks to its tremendous adoption surge since COVID-19 (much like many other SaaS applications), Microsoft Teams continues to be an exceedingly prevalent attack surface. As many organizations’ employees continue working remotely, the reliance on Microsoft Teams to collaborate is stronger than ever before. According to market insights from Statista, the number of daily active users of Teams nearly doubled from 2020 to 2021, with reports from Microsoft now claiming 270 million monthly active users as of January 2022.

With successful spear-phishing and business email compromise attacks being amplified by lackluster security authentication methods, threat actors gain access to corporate Microsoft 365 accounts that, in turn, grant them access to inter-organizational applications, chats, files, and directories.

From there, sending Trojan-loaded files via Teams chat messages take very little effort, and thus result in user execution. Unfortunately, disaster then ensues with the commandeering of the user’s system.

Why Do These Breaches Occur?

Spear-phishing and BEC attack vectors are nothing new (which does not excuse lenient security practices), and users are typically cautious of data received over email – thanks to internal email phishing awareness trainings. Most, however, tend to exhibit little caution or doubt about files received over a private and corporate chat platform; particularly with seemingly innocent attachments named “User Centric.” At that point, “the user is the weakest link” as the saying goes, and thus provides the threat actor with the foothold he/she needs to administer control of the system. Sadly, MS Teams’ limited native protections exacerbate these types of attacks.

What Can Be Done?

  • User awareness training is always essential when facing matters involving phishing and business account compromises.
  • Mandating use of multi-factor authentication is also vital to help prevent account hijacking.
  • Unfortunately, these alone may not be enough to protect users against very convincing attacks.
  • Admittedly, Microsoft Teams itself isn’t exactly feature-rich when it comes to screening messages and files for malicious content.
  • For this reason, it is highly recommended to utilize a security platform that unifies malware protection, data loss prevention, behavioral analytics, and collaboration control not only for Teams, but also for all other Microsoft 365 services, such as Sharepoint and OneDrive, that can typically facilitate account compromises in the first place.

Use Skyhigh Security?

Rodman Ramezanian

About the Author

Rodman Ramezanian

Enterprise Cloud Security Advisor

With over 11 years’ worth of extensive cybersecurity industry experience, Rodman Ramezanian is an Enterprise Cloud Security Advisor, responsible for Technical Advisory, Enablement, Solution Design and Architecture at Skyhigh Security. In this role, Rodman primarily focuses on Australian Federal Government, Defense, and Enterprise organizations.

Rodman specializes in the areas of Adversarial Threat Intelligence, Cyber Crime, Data Protection, and Cloud Security. He is an Australian Signals Directorate (ASD)-endorsed IRAP Assessor – currently holding CISSP, CCSP, CISA, CDPSE, Microsoft Azure, and MITRE ATT&CK CTI certifications.

Candidly, Rodman has a strong passion for articulating complex matters in simple terms, helping the average person and new security professionals understand the what, why, and how of cybersecurity.

Attack Highlights

  • Threat actors hijack corporate Microsoft 365 accounts via spear-phishing and/or business email compromise attacks
  • Account credentials are then used to infiltrate Microsoft user accounts and apps (MS Teams)
  • Hackers begin to drop malicious executable files in conversations on Microsoft Teams, labelled as “User Centric” to trick end users
  • Once executed, the malware writes data into the system’s registry, installs DLLs, and establishes persistence on the Windows machine
  • Detailed information is collected about the operating system and hardware it runs on, along with the security state of the machine based on OS version and patches installed
  • As a result, threat actor gains full access to enduser system