As Microsoft Teams boasts a growing user base that is now over 270 million monthly active users, hackers are targeting it as a launchpad for sending malicious files, according to a new report from cybersecurity firm Avanan.
The company, a Check Point subsidiary, says it began last month observing hackers dropping malicious executable files in Microsoft Teams conversations that write data to the Windows registry, install DLL files and create shortcut links that allow the program to self-administer.
According to the company, it has observed “thousands” of these attacks per month.
Avanan says threat actors are attaching .exe files to Teams chats to install a Trojan on the end-user’s device, and that Trojan is then used to install malware.
“In this attack, hackers are hacking into Teams, which can be done with East-West attacks that start via email, or by spoofing a user,” Avanan says. “Then, the threat actor attaches a .exe file called “User Centric” to a chat. This file is a Trojan, which will then install DLL files and create shortcut links to self-administer.”
Clicking on the file downloads and installs the malicious file as a Windows program.
To first gain access to Teams, hackers use a litany of old tricks, including phishing and other credential stealing methods. Once they have Microsoft 365 credentials, they have access to Teams and the rest of the Office suite.
“Given that hackers are quite adept at compromising Microsoft 365 accounts using traditional email phishing methods, they’ve learned that the same credentials work for Teams,” Avanan says.
According to the firm, these attacks bypass default protections in Teams, which the company says has limited ability to scan for malicious links and files.
Further compounding this issue is an unfamiliarity with Teams and security standards, as opposed to the general knowledge of what to look for in malicious emails.
“Because of the unfamiliarity with the Teams platform, many will just trust and approve the requests,” the company says. “Within an organization, a user can very easily pretend to be someone else, whether it’s the CEO, CFO or IT help desk.”
As Microsoft continues to add new users, these malicious file attacks are expected to increase, the company says.
Avanan recommends implementing protection that downloads all files in a sandbox and inspects them for malicious content, deploying security tools that secure Teams and encouraging end users to ask IT about strange files.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply