Microsoft Teams users targeted in phishing attack delivering DarkGate malware

A new phishing campaign taking advantage of an easily exploitable issue in Microsoft Teams to deliver malware has been flagged by researchers.

Delivering malware to Microsoft Teams users

Late last month, Truesec researchers spotted two compromised Microsoft 365 accounts sending HR-themed messages with a malicious attachment to enterprise targets.

The two messages were the same: they claimed that, due to unforeseen circumstances, there have been changes to the vacation schedule and the recipient may be affected by them.

Microsoft Teams phishing campaign

The phishing message. (Source: Truesec)

The attached file – Changes to the vacation – is downloaded from a SharePoint site and, once opened, it eventually leads to the execution of an AutoIT script that launches shellcode to load the DarkGate loader Windows executable.

The DarkGate loader has been around since 2017. Initially only used by the developer, it has recently become available to a limited number of affiliates.

The loader also has other capabilities, including: crypto mining, browser history and cookie theft, remote access and control, and more.

Phishing via Microsoft Teams is not new

As noted earlier, Jumpsec researchers have recently uncovered a bug in Microsoft Teams that could allow threat actors to deliver malware into employees’ inboxes, by bypassing client-side security controls that disallow external tenants (M365 users outside the organization) to send files to employees.

This avenue of attack has soon after been made even easier by the release of a tool that automates the process – and cybercriminals and other attackers have taken notice.

“Unfortunately, current Microsoft Teams security features such as Safe Attachments or Safe Links was not able to detect or block this attack,” Jakob Nordenlund, senior cyber security consultant at Truesec concluded.

“Right now, the only way to prevent this attack vector within Microsoft Teams is to only allow Microsoft Teams chat requests from specific external domains, albeit it might have business implications since all trusted external domains need to be whitelisted by an IT administrator.”

Don't miss