Threat actors have been discovered using Microsoft Teams chats to infect and spread malware to participants’ machines. Microsoft Teams is a prime target for attackers, due to the trust most users place in it and the absence of protections against malicious files. While users are generally suspicious of information received over email due to email phishing awareness training, the same level of suspicion is not exhibited with files received over Teams. This makes end users more likely to download and run files received via Teams.
The attacks, which started in January of this year, involve threat actors attaching a file called “UserCentric.exe” into organizational chats to trick users into running it. While the initial access method for these specific threat actors is unknown, it is likely that a combination of using stolen Microsoft 365 credentials from previous phishing campaigns and compromising partner organizations allowed threat actors to access Teams chats for victim organizations. Once the malicious executable is run by a user, it proceeds to collect detailed information on the system and establish persistence using Windows Registry Run keys or the creation of an entry in the startup folder.
More than 270 million users rely on Microsoft Teams every month, making this infection vector a potentially simple but efficient method of compromising an organization.
It is recommended to disable external access to Teams if your organization does not require it. This will prevent external users from contacting your organization’s users and potentially tricking them into executing malware. If this is not possible, it is recommended to implement endpoint protections that allow for sandboxing of downloaded files. This allows the files to be inspected for malicious content in a controlled environment first, before being executed on the host system. Likewise, maintaining proper endpoint security controls can be crucial in helping prevent malware from infecting a system. If prevention is not possible, appropriate logging should be in place to help detect behavioral patterns that malware tends to exhibit. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs. Finally, providing end user training that includes Microsoft Teams as a potential infection vector can help train users to be on the lookout for malware being spread via Teams as well as email.