Threat actors are targeting Microsoft Teams users by planting malicious documents in message threads. Researchers have found that these documents execute Trojans that can ultimately take over end-user machines.
In January, researchers began tracking the campaign. They said: “Using an executable file, or a file that contains instructions for the system to execute, hackers can install DLL files and allow the program to self-administer and take control over the computer. By attaching the file to a Teams attack, hackers have found a new way to easily target millions of users.”
Cyber criminals have long targeted Microsoft’s document-creation and sharing suite, Office and its cloud-based version, Office 365, with attacks against individual apps in the suite such as PowerPoint, as well as business email compromise and other scams. As the usage of Microsoft Teams has been so large during the COVID-19 pandemic, it seems it is emerging as an increasingly popular attack surface for cyber criminals.
Indeed, the number of daily active users of Teams nearly doubled over the past year, increasing from 75 million users in April 2020 to 145 million as of the second quarter of 2021. The latest campaign against Teams demonstrates an increased understanding of the collaboration app that will allow attacks against it to increase in both sophistication and volume.
In order to plant malicious documents in Teams, researchers first have to get access to the application. This is possible in a number of ways, typically involving an initial email compromise through phishing to gain credentials or other access to a network.
Researchers said: “They can compromise a partner organisation and listen in on inter-organisational chats. They can compromise an email address and use that to access Teams – they can steal Microsoft 365 credentials, giving them carte blanche access to Teams and the rest of the Office suite.”
Once an attacker gains access to Teams, it’s fairly easy to navigate and slip past any security protections. This is because default Teams protections are lacking, as scanning for malicious links and files is limited, as well as many email security solutions not offering robust protection for Teams. Teams is also easy for hackers to compromise right now, because end users inherently trust the platform, sharing sensitive and even confidential data without a second thought while using it.
Further, nearly every Teams user can invite people from other departments or other companies to collaborate via the platform. There is often “minimal oversight” over these requests because of the trust people have, researchers added.
In the attack vector researchers observed, attackers first access Teams through one of the aforementioned ways, such as a phishing email that spoofs a user, or through a lateral attack on the network. Then, the threat actor attaches a .exe file to a chat – called “User Centric” – that is actually a trojan. To the end user, it looks legitimate, because it appears to be coming from a trusted user.
Researchers said: “When someone attaches a file to a Teams chat, particularly with the innocuous-sounding file name of ‘User Centric,’ many users won’t think twice and will click on it”. If that happens, the executable will then install DLL files that install malware as a Windows programme and create shortcut links to self-administer on the victim’s machine. As the ultimate goal of the malware is to take over control of the machine and perform other nefarious activities, this particular attack vector is worrisome for businesses.
To protect your business from further attacks like this, ensure that your Business Continuity and Disaster Recovery plans are in place. This will help your business to recover from any kind of inevitable cyber attack or phishing campaign, which may well reach your business as part of the ongoing boom in cyber attacks.