According to reporting from Bleeping Computer, threat actors are ramping up their efforts against Microsoft Teams for malware distribution by planting malicious documents in chat threads, ultimately resulting in victims executing Trojans that hijack their corporate systems.
Traditionally, hackers have focused their targets on Microsoft’s universal document and sharing suites – Office and its cloud-based Office 365 – with attacks against individual apps, such as Word, Excel, and others.
Now, thanks to its tremendous adoption surge since COVID-19 (much like many other SaaS applications), Microsoft Teams continues to be an exceedingly prevalent attack surface. As many organizations’ employees continue working remotely, the reliance on Microsoft Teams to collaborate is stronger than ever before. According to market insights from Statista, the number of daily active users of Teams nearly doubled from 2020 to 2021, with reports from Microsoft now claiming 270 million monthly active users as of January 2022.
With successful spear-phishing and business email compromise attacks being amplified by lackluster security authentication methods, threat actors gain access to corporate Microsoft 365 accounts that, in turn, grant them access to inter-organizational applications, chats, files, and directories.
From there, sending Trojan-loaded files via Teams chat messages take very little effort, and thus result in user execution. Unfortunately, disaster then ensues with the commandeering of the user’s system.
Why Do These Breaches Occur?
Spear-phishing and BEC attack vectors are nothing new (which does not excuse lenient security practices), and users are typically cautious of data received over email – thanks to internal email phishing awareness trainings. Most, however, tend to exhibit little caution or doubt about files received over a private and corporate chat platform; particularly with seemingly innocent attachments named “User Centric.” At that point, “the user is the weakest link” as the saying goes, and thus provides the threat actor with the foothold he/she needs to administer control of the system. Sadly, MS Teams’ limited native protections exacerbate these types of attacks.
What Can Be Done?
- User awareness training is always essential when facing matters involving phishing and business account compromises.
- Mandating use of multi-factor authentication is also vital to help prevent account hijacking.
- Unfortunately, these alone may not be enough to protect users against very convincing attacks.
- Admittedly, Microsoft Teams itself isn’t exactly feature-rich when it comes to screening messages and files for malicious content.
- For this reason, it is highly recommended to utilize a security platform that unifies malware protection, data loss prevention, behavioral analytics, and collaboration control not only for Teams, but also for all other Microsoft 365 services, such as Sharepoint and OneDrive, that can typically facilitate account compromises in the first place.