Microsoft Teams Targeted With Takeover Trojans

microsoft teams phishing attack

Threat actors are infiltrating the increasingly popular collaboration app to attach malicious files to chat threads that drop system-hijacking malware.

Threat actors are targeting Microsoft Teams users by planting malicious documents in chat threads that execute Trojans that ultimately can take over end-user machines, researchers have found.

In January, researchers at Avanan, a Check Point Company, began tracking the campaign, which drops malicious executable files in Teams conversations that, when clicked on, eventually take over the user’s computer, according to a report published Thursday.

“Using an executable file, or a file that contains instructions for the system to execute, hackers can install DLL files and allow the program to self-administer and take control over the computer,” cybersecurity researcher and analyst at Avanan Jeremy Fuchs wrote in a report. “By attaching the file to a Teams attack, hackers have found a new way to easily target millions of users.”

Webinar Promo

Click to Register for FREE

Cybercriminals long have targeted Microsoft’s ubiquitous document-creation and sharing suite – the legacy Office and its cloud-based version, Office 365 – with attacks against individual apps in the suite such as PowerPoint as well as business email compromise and other scams.

Now Microsoft Teams – a business communication and collaboration suite – is emerging as an increasingly popular attack surface for cybercriminals, Fuchs said.

This interest could be attributed to its surge in use over the COVID-19 pandemic, as many organization’s employees working remotely relied on the app to collaborate. Indeed, the number of daily active users of Teams nearly doubled over the past year, increasing from 75 million users in April 2020 to 145 million as of the second quarter of 2021, according to Statista.

The latest campaign against Teams demonstrates an increased understanding of the collaboration app that will allow attacks against it to increase in both sophistication and volume, Fuchs noted. “As Teams usage continues to increase, Avanan expects a significant increase in these sorts of attacks,” he wrote.

Taking on Teams

In order to plant malicious documents in Teams, researchers first have to get access to the application, Fuchs noted. This is possible in a number of ways, typically involving an initial email compromise through phishing to gain credentials or other access to a network, he said.

“They can compromise a partner organization and listen in on inter-organizational chats,” Fuchs wrote. “They can compromise an email address and use that to access Teams. They can steal Microsoft 365 credentials, giving them carte blanche access to Teams and the rest of the Office suite.”

Once an attacker gains access to Teams, it’s fairly easy to navigate and slip past any security protections, he noted. This is because “default Teams protections are lacking, as scanning for malicious links and files is limited,” and “many email security solutions do not offer robust protection for Teams,” Fuchs wrote.

Another reason Teams is easy for hackers to compromise is that end users inherently trust the platform, sharing sensitive and even confidential data with abandon while using it, he said.

“For example, an Avanan analysis of hospitals that use Teams found that doctors share patient medical information practically with no limits on the Teams platform,” Fuchs wrote. “Medical staff generally know the security rules and risk of sharing information via email, but ignore those when it comes to Teams. In their mind, everything can be sent on Teams.”

Further, nearly every Teams user can invite people from other departments or other companies to collaborate via the platform, and there is often “minimal oversight” over these requests because of the trust people have, he added.

Specific Attack Vector

In the attack vector Avanan researchers observed, attackers first access Teams through one of the aforementioned ways, such as a phishing email that spoofs a user, or through a lateral attack on the network.

Then, the threat actor attaches a .exe file to a chat – called “User Centric” – that is actually a trojan. To the end user, it looks legitimate, because it appears to be coming from a trusted user.

“When someone attaches a file to a Teams chat, particularly with the innocuous-sounding file name of ‘User Centric,’ many users won’t think twice and will click on it,” Fuchs wrote.

If that happens, the executable will then install DLL files that install malware as a Windows program and create shortcut links to self-administer on the victim’s machine, he said. The ultimate goal of the malware is to take over control of the machine and perform other nefarious activities.

Suggested articles

Discussion

  • sb3k on

    Using Teams as attack vector is well-known by many security teams, I don't understand what is innovative here. Actors regularly use collaboration platforms to propagate malicious files, will we see an innovative article in two weeks saying that actors drop files on SharePoint? Also, Avanan report does not propose actionable recommendations to mitigate this threat, which is quite uncommon in these reports. There is an option in 365 to prevent downloading files that have been flagged as malicious once they reach SharePoint, which is the case with Teams. This option is not enabled by default. There is an option to restrict third party access to chats to trusted parties only. It is also in the Teams administration panel. There are options to prevent circulation of documents across business units (barriers). Modern companies deploy endpoint protection on clients. Modern companies deploy the larger set of protection measures against identity theft and hijacking, such as multi factor authentication, identity protection, password protection, and refuse risky sign-in events. The fact that this company did not take the time to give readers the minimal set of recommendations is widely frowned upon and TP should discourage this by asking one of their competitors to propose advice, in the same article. Next time, they will include real recommendations and not just say that actors can use product X to spread malware :)

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.