Threat actors are infiltrating the increasingly popular collaboration app to attach malicious files to chat threads that drop system-hijacking malware.
Threat actors are targeting Microsoft Teams users by planting malicious documents in chat threads that execute Trojans that ultimately can take over end-user machines, researchers have found.
In January, researchers at Avanan, a Check Point Company, began tracking the campaign, which drops malicious executable files in Teams conversations that, when clicked on, eventually take over the user’s computer, according to a report published Thursday.
“Using an executable file, or a file that contains instructions for the system to execute, hackers can install DLL files and allow the program to self-administer and take control over the computer,” cybersecurity researcher and analyst at Avanan Jeremy Fuchs wrote in a report. “By attaching the file to a Teams attack, hackers have found a new way to easily target millions of users.”
Cybercriminals long have targeted Microsoft’s ubiquitous document-creation and sharing suite – the legacy Office and its cloud-based version, Office 365 – with attacks against individual apps in the suite such as PowerPoint as well as business email compromise and other scams.
Now Microsoft Teams – a business communication and collaboration suite – is emerging as an increasingly popular attack surface for cybercriminals, Fuchs said.
This interest could be attributed to its surge in use over the COVID-19 pandemic, as many organization’s employees working remotely relied on the app to collaborate. Indeed, the number of daily active users of Teams nearly doubled over the past year, increasing from 75 million users in April 2020 to 145 million as of the second quarter of 2021, according to Statista.
The latest campaign against Teams demonstrates an increased understanding of the collaboration app that will allow attacks against it to increase in both sophistication and volume, Fuchs noted. “As Teams usage continues to increase, Avanan expects a significant increase in these sorts of attacks,” he wrote.
Taking on Teams
In order to plant malicious documents in Teams, researchers first have to get access to the application, Fuchs noted. This is possible in a number of ways, typically involving an initial email compromise through phishing to gain credentials or other access to a network, he said.
“They can compromise a partner organization and listen in on inter-organizational chats,” Fuchs wrote. “They can compromise an email address and use that to access Teams. They can steal Microsoft 365 credentials, giving them carte blanche access to Teams and the rest of the Office suite.”
Once an attacker gains access to Teams, it’s fairly easy to navigate and slip past any security protections, he noted. This is because “default Teams protections are lacking, as scanning for malicious links and files is limited,” and “many email security solutions do not offer robust protection for Teams,” Fuchs wrote.
Another reason Teams is easy for hackers to compromise is that end users inherently trust the platform, sharing sensitive and even confidential data with abandon while using it, he said.
“For example, an Avanan analysis of hospitals that use Teams found that doctors share patient medical information practically with no limits on the Teams platform,” Fuchs wrote. “Medical staff generally know the security rules and risk of sharing information via email, but ignore those when it comes to Teams. In their mind, everything can be sent on Teams.”
Further, nearly every Teams user can invite people from other departments or other companies to collaborate via the platform, and there is often “minimal oversight” over these requests because of the trust people have, he added.
Specific Attack Vector
In the attack vector Avanan researchers observed, attackers first access Teams through one of the aforementioned ways, such as a phishing email that spoofs a user, or through a lateral attack on the network.
Then, the threat actor attaches a .exe file to a chat – called “User Centric” – that is actually a trojan. To the end user, it looks legitimate, because it appears to be coming from a trusted user.
“When someone attaches a file to a Teams chat, particularly with the innocuous-sounding file name of ‘User Centric,’ many users won’t think twice and will click on it,” Fuchs wrote.
If that happens, the executable will then install DLL files that install malware as a Windows program and create shortcut links to self-administer on the victim’s machine, he said. The ultimate goal of the malware is to take over control of the machine and perform other nefarious activities.