Microsoft’s teams have more than 270 million users every month, be it for work, for school or in the private sphere. They take part in video conferences, chat with colleagues and friends or share files with them.
There seems to be little distrust as to who is actually part of your own team, after all, every user has to be logged in with their Microsoft account. What very few people pay attention to: Such an account can also have been taken over by cybercriminals – and there is no protection against malicious files in the platform.
Attackers are currently taking advantage of this, as Avanan security researchers warn. Since January, you have observed that hackers are increasingly trying to spread malware on the Teams platform. To do this, they use compromised Microsoft accounts to sneak into chats. There they post an executable file called “User Centric” with the aim of getting the other chat participants to run the file. If this plan succeeds, malware writes data to the registry of the affected system, installs Dynamic Link Library (DLL) files and thus embeds itself on the Windows computer. In this way, the attackers obtain detailed information about the operating system and the hardware on which it is running. The attackers can also view the security status of the computer, based on the operating system version and the installed patches, via the smuggled-in Trojan. At the end of the day, the attackers can completely take over their victim’s computer with their attack.
Exactly how the hackers took control of the compromised Microsoft accounts is unclear at this time, but it stands to reason that this is done via stolen credentials for email addresses or Microsoft 365 accounts. These could have been stolen through phishing, acquired on the dark web, but also stemmed from an attack on a company in the software supply chain.
Current data suggests that most attacks of this type are concentrated in the Great Lakes area of the United States targeting local media. But even elsewhere, Teams users should get used to the idea that such attacks can happen at any time, since it’s a relatively easy way to spread malware. Avanan’s security researchers point out that users appear to be far less skeptical about files sent via Teams than about data coming from other channels. This could quickly turn out to be a mistake. In addition, Teams offers guest and external access capabilities that enable collaboration with people outside of the company. In many cases, such invitations are only checked insufficiently or sometimes even not at all.
In recent years, the use of platforms such as Teams or Zoom has increased dramatically due to the new working conditions in the pandemic. However, by no means everyone has gotten used to using these platforms and is familiar with the associated risks – especially in comparison to criminal procedures via e-mail, where awareness has improved significantly in recent years. But the many millions of users who discuss sensitive topics via chat and send confidential data every day make teams and the like lucrative and interesting targets for cybercriminals. It is all the more important to take protective measures here as well in order to put an end to the criminal activity. Avanan recommends downloading all data to a sandbox first to scan for malware. The entire security concept should also be revised and platforms such as teams or zoom should be included. Last but not least, it is advisable to rely on awareness measures in this area as well, in order to make the danger clear to users, so that when in doubt about an unknown file, they prefer to contact IT once too often than once too little.