Hackers Use Microsoft Teams Chats to Deploy Malware

Colin Thierry Colin Thierry

Security researchers warn that some cybercriminals are infiltrating Microsoft Teams accounts to enter chats and spread malicious malware to participants in the conversation.

More than 270 million users rely on Microsoft Teams every month, despite the absence of protections against malicious files.

Researchers at Avanan, a Check Point company that secures cloud email and collaboration platforms, first found that hackers started to drop malware files in conversations on Microsoft Teams.

The attacks started in January, the company says in a report issued on Thursday. The hackers insert in a chat an executable file called “User Centric” to trick the user into running it.

“In this Teams attack, hackers have attached a malicious Trojan document to a chat thread. When clicked on, the file will eventually take over the user’s computer,” Avanan said.

While the method used to gain access to Teams accounts remains unclear, some possibilities include stealing credentials for email or Microsoft 365 by phishing or compromising a partner organization.

The distributed malware is able to collect detailed information about the operating system and the hardware it runs on, along with the security state of the machine based on the OS version and the patches installed.

Although the attack was simple, it may have also been very efficient because many users trust files received over Teams, Avanan researchers say.

The company analyzed data from hospitals that use Teams and found that doctors use the platform to share sensitive medical information.

While individuals are typically suspicious of information received over email (due to email phishing awareness training), they display no such caution with files received via Teams.

Additionally, Teams provides guest and external access capabilities that allow collaboration with people outside the company. Avanan says that these invitations are usually met with little oversight.

“Because of the unfamiliarity with the Teams platform, many will just trust and approve the requests. Within an organization, a user can very easily pretend to be someone else, whether it’s the CEO, CFO or IT help desk,” Avanan said.

The researchers said that the issue is caused by “the fact that default Teams protections are lacking, as scanning for malicious links and files is limited” and “many email security solutions do not offer robust protection for Teams.”

To defend against these Microsoft Teams attacks, Avanan recommends implementing protection that downloads all files in a sandbox and inspects them for malicious content, deploying robust, full-suite security that secures all lines of business communication (including Teams), and encouraging end-users to reach out to IT when coming across an unfamiliar file.

About the Author

About the Author

Colin Thierry is a former cybersecurity researcher and journalist for SafetyDetectives who has written a wide variety of content for the web over the past 2 years. In his free time, he enjoys spending time outdoors, traveling, watching sports, and playing video games.