A recent harmful campaign is taking control over end-user computers by placing malicious documents in Microsoft Teams chat. Cybercriminals have targeted Microsoft’s omnipresent document creation and sharing suite – the legacy Office and its cloud-based successor Office 365 – with assaults on individual apps like PowerPoint, as well as business email compromise and other schemes.

According to Statista, the number of teams users has nearly quadrupled in the last year, from 75 million in April 2020 to 145 million in the second quarter of 2021. As the application serves over 270 million monthly users as of January 2022, it became an appealing component for both cyber criminals and APT actors. Threat actors are attaching malicious files in chat and drop system-hijacking malware to penetrate into the app rapidly.

Avanan began to recognize how hackers were placing harmful executable files in Teams talks in January 2022. The application may self-administer since the file writes data to the Windows registry, installs DLL files, and makes shortcut links. Thousands of similar attacks occur every month, according to Avanan. In this attack overview, we’ll look at how hackers in Microsoft Teams employ these.exe files.

Attack

Hackers are attaching .exe files to the Teams chats in this attack in order to install a Trojan. The trojan is utilized then to install malware.

• Vector: Microsoft Teams
• Type: Malicious Trojan File 
• Techniques: .exe files
• Target: Any end-user

Email

Hackers are breaking into the Teams app in this attack, which can be done via email-based East-West attacks or by faking a user. The threat actor then attaches a “User-Centric”.exe file to a chat. This file is a Trojan that will install DLL files and build self-administering shortcut links.

Techniques

Hackers have discovered a new way to easily target millions of users by adding the file to a Teams attack. Accessing Teams is the first step. Hackers can do this in a variety of ways. They can infiltrate a partner organization and listen in on inter-organizational conversations.

They can gain access to Teams by compromising an email address. They can use stolen Microsoft 365 credentials from a prior phishing attack to gain full access to Teams and the rest of the Microsoft Office suite. 

Given how well hackers can compromise Microsoft 365 accounts using classic email phishing techniques, they’ve figured out that the same credentials work for Teams. 

Furthermore, once inside an organization, an attacker is usually aware of the technologies in place to secure it. That implies they’ll be able to predict which spyware will be able to get beyond existing defenses.

This exploit shows that cybercriminals are starting to recognize and better utilize Teams as a potential attack vector. As the use of Teams grows, Avanan anticipates a large increase in these types of attacks.

Tips and Best Practices

Security experts can take the following steps to prevent these attacks:

• Adopt a security solution that checks all files for malicious content in a sandbox.
• With a comprehensive, full-suite security solution, protect all lines of company communication, including Teams.
• End-users should be encouraged to contact IT if they come across an unexpected file.

Reach out to Clear Infosec today to keep your workforce aware of evolving threat landscape and define an Information Security strategy that fortifies your systems.

Reference:

Montalbano, A. E., & Montalbano, E. (n.d.). Microsoft teams targeted with takeover trojans. Threatpost English Global threatpostcom. Retrieved February 21, 2022, from https://threatpost.com/microsoft-teams-targeted-takeover-trojans/178497/

Fuchs, J. (n.d.). Hackers attach malicious .EXE files to teams conversations. Avanan. Retrieved February 21, 2022, from https://www.avanan.com/blog/hackers-attach-malicious-.exe-files-to-teams-conversatio