Threat actors have been discovered using Microsoft Teams chats to infect and spread malware to participants’ machines. Microsoft Teams is a prime target for attackers, due to the trust most users place in it and the absence of protections against malicious files. While users are generally suspicious of information received over email due to email phishing awareness training, the same level of suspicion is not exhibited with files received over Teams. This makes end users more likely to download and run files received via Teams.
The attacks, which started in January of this year, involve threat actors attaching a file called “UserCentric.exe” into organizational chats to trick users into running it. While the initial access method for these specific threat actors is unknown, it is likely that a combination of using stolen Microsoft 365 credentials from previous phishing campaigns and compromising partner organizations allowed threat actors to access Teams chats for victim organizations. Once the malicious executable is run by a user, it proceeds to collect detailed information on the system and establish persistence using Windows Registry Run keys or the creation of an entry in the startup folder.
More than 270 million users rely on Microsoft Teams every month, making this infection vector a potentially simple but efficient method of compromising an organization.