Recent reports show that hackers are using Microsoft Teams to spread malware. The attacks are carried out by attaching .exe files to Teams chats to install a trojan on the end user’s computer. The Trojan is then used to install malware.
Hank Schless, Lookout’s senior manager of security solutions, lists possible tactics and countermeasures:
“The first tactic used by hackers is to obtain Microsoft 365 credentials from employees, which would give them access to all applications in the Microsoft suite. Lookout data shows that attackers primarily access users through mobile channels such as SMS, social media platforms, third-party messaging apps, games, and even dating apps. According to Lookout data, an average of 15.5 percent of enterprise users were exposed to phishing attacks each quarter in 2021. For comparison: In 2020 the number was 10.25 percent. Phishing is clearly a growing problem for every business.
Because Microsoft 365 is such a widespread platform, it is not very difficult for attackers to create socially engineered campaigns that target users using malicious Word files and fake login pages. The second tactic is to use a third party, e.g. B. to compromise a contractor to gain access to the company’s Teams platform. This shows how important it is to subject every third-party software, person and team to a detailed security audit to ensure their security.
How serious are these attacks?
According to Lookout’s study, a successful attack could lead to a complete takeover of the device. Since there is a high probability that an attacker initially gained access through phishing, they could eventually obtain a trusted device and trusted credentials. This is a malicious combination that could allow an attacker to access any data the user and device have access to.
Once the attacker has penetrated the infrastructure, he can move sideways and find out where the most valuable assets are hidden. From there, it could encrypt that data to launch a ransomware attack or exfiltrate it for sale on the dark web. This chain of attacks is why organizations need visibility and access control to users, their devices, the applications they want to access and the data stored on them.
Recommended protective measures
The nature of this attack demonstrates the importance of protecting all endpoints, cloud resources, and on-premises or private applications across the enterprise infrastructure. It is becoming increasingly difficult to keep track of how users and devices interact with applications and data as the network perimeter disappears as the traditional boundary of the enterprise environment. Therefore, the use of a unified platform that takes into account both mobile and PC endpoints as well as cloud services and private or on-prem installed applications is required. It’s the only way to provide the required level of visibility and protection from today’s modern threat landscape.
To stay ahead of attackers looking to exploit this chain of attacks, organizations everywhere should implement security for mobile devices with Mobile Threat Defense (MTD) and protect cloud services with Cloud Access Security Broker (CASB). They also need to monitor web traffic with a Secure Web Gateway (SWG) and implement modern security policies for their on-prem or private applications with Zero Trust Network Access (ZTNA).
Attacks on platforms use similar tactics
Attacks targeting specific platforms have their nuances, but the general tactics are obviously very similar. Public channels can also be operated in Slack and Teams, in which one does not necessarily have to be part of the company in order to participate. This poses a massive risk for the company – both for unauthorized access and for the loss of data. The tactics to gain access to these two platforms, as well as collaboration platforms and other applications, are generally quite similar. The fact is, phishing is the most viable option for threat actors today.
If an attacker has legitimate credentials to log into corporate applications, they are less likely to be noticed and stopped. Organizations therefore need a modernized security strategy capable of detecting anomalous logins, file activity and user behavior.”