Researchers at Avanan, a cyber security company have warned that some hackers are targeting the Microsoft Teams accounts by attaching malicious executables to chat and spreading them to participants in the conversation.
Avanan said that the attacks started in January 2022 and the company observed how hackers are dropping malicious executable files in Teams conversations. The file writes data to the Windows registry, installs DLL files, and creates shortcut links that allow the program to self-administer. The cyber security company has seen thousands of these attacks per month.
In this attack, hackers are hacking into Teams and attaching .exe files to Teams chats via email, or by spoofing a user. Then, the threat actor attaches a .exe file called “User Centric” to a chat, which is a Trojan. This will then install DLL files and create shortcut links to self-administer.
According to the researchers, attackers can launch the attack by compromising a partner organization and listening in on inter-organizational chats. Alternatively, the threat actors can also compromise an email address and use that to access Teams. They can steal Microsoft 365 credentials from a previous phishing campaign or data breach, giving them carte blanche access to Teams and other Office applications.
Once the attackers are inside an organization, an attacker usually knows what technology is being used to protect it, the researchers said. That means they will know what malware will bypass existing protections.
“Compounding this problem is the fact that default Teams protections are lacking, as scanning for malicious links and files is limited. Further, many email security solutions do not offer robust protection for Teams,” reads the analysis published by Avanan.
“Hackers, who can access Teams accounts via East-West attacks, or by leveraging the credentials they harvest in other phishing attacks, have carte blanche to launch attacks against millions of unsuspecting users.”
Microsoft Teams is easy for hackers to compromise as end-users have an inherent trust of the platform, sharing sensitive and even confidential data. For example, an Avanan analysis of hospitals that use Teams found that doctors share patient medical information practically with no limits on the Teams platform.
“Medical staff generally know the security rules and risk of sharing information via email, but ignore those when it comes to Teams. Further, nearly every user can invite people from other departments and there is often minimal oversight when invitations are sent or received from other companies,” explained Avanan.
“Because of the unfamiliarity with the Teams platform, many will just trust and approve the requests. Within an organization, a user can very easily pretend to be someone else, whether it’s the CEO, CFO or IT help desk.”
Since the start of the pandemic, Microsoft Teams has continued to grow in popularity with the company surpassing 270 million monthly active Teams users as of its second-quarter in fiscal 2022.
According to Avanan, this attack demonstrates that hackers are beginning to understand and better utilize Teams as a potential attack vector. As Teams usage continues to increase, the cyber security company expects a significant increase in these sorts of attacks in the future. The current threat appears mainly to be targeting users in the U.S.
Avavan recommends security professionals protect themselves against these attacks by (1) implementing protection that downloads all files in a sandbox and inspects them for malicious content, (2) deploying robust, full-suite security that secures all lines of business communication, including Teams, and (3) encouraging end-users to reach out to IT when seeing an unfamiliar file.
