Threat actors have reportedly been found to use the MS Teams in spreading executables via chats to distribute malware across all users. Microsoft’s communication platform currently has about 270 million monthly active users, making it an attractive spot for threat actors to target.
Researchers found over a thousand attacks against MS Teams account since the beginning of the new year. Moreover, they added that the threat actors obtain access to MS Teams accounts by impersonating a particular user with East-West attacks through malicious emails or using information from previous phishing campaigns.
The threat actors log in to these spoofed accounts and attach an executable file called “UserCentric[.]exe” inside an existing chat to lure users into accessing and opening the malicious exe. If a team user executes the malicious code sent by the threat actors in the chats, it will install additional DLL files and develop shortcut links to self-accommodate.
The cyberattack campaign leveraging the MS Teams has several scenarios to complete for a successful infection method.
The first scenario is that threat actors launch their attacks by targeting a partner organisation and spies in on inter-organisational conversations or chats. In another instance, the actors may compromise an email address to access and spoof an MS Teams account.
Moreover, the actors can also use the Office 365 credentials stolen from past cybercriminal campaigns. Obtaining an Office 365 credential enables threat actors to access MS Teams and other MS Office applications.
The hackers may find a way or discover specific methods to bypass installed defence solutions inside their targeted account by abusing this access. If the threat actors can gather these types of information, they can pick an appropriate malware capable of avoiding specific AV solutions.
The use of MS teams as an infection transmitter is alarming since most of its users may have zero knowledge regarding the current threat. Researchers suggest that users apply extra security layers such as employing and inspecting every file in a sandbox.
Furthermore, organisations should launch email gateway security that secures every communications platform, such as Teams. Employees should also reach out to IT providers whenever they observe suspicious files in their chats.
