Dangerous Microsoft Teams attack method

In the past, malicious emails were a common way for hackers to infect corporate networks with malware. Today, more and more companies use collaboration tools such as Microsoft Teams for internal communication. 

In addition, these tools are increasingly used by companies for remote work during the COVID-19 pandemic. 

Now, attackers have recognized the potential of this tool (and others) and are using it to spread malware. Because employees rarely expect to be targeted through these channels, they tend to be less cautious than usual, which makes them easy targets.

This blog post describes how attackers are exploiting these vulnerabilities and what users can do to protect themselves and their organizations against such attacks.

How they attack

Microsoft Teams, a collaboration platform included in the Microsoft 365 family of products, allows users to do audio and video conferencing, chat in multiple channels, and share files.

Many companies around the world have adopted the use of Microsoft Teams as the core tool for their remote employee collaboration during this pandemic.

There are no known vulnerabilities in the channel chat that could be exploited to inject malware into a user’s system. However, there is an existing method that could be used for malicious purposes.

 Microsoft Teams allows file sharing as long as the file size does not exceed 100 MB. An attacker can upload any file to any public channel in Microsoft Teams and anyone having access to the channel will be able to download it. 

From a cybersecurity perspective, it sounds like a goldmine: From any one Team channel, you can access all conversations and information, including sensitive information or intellectual property. 

Since Teams allows you to access all the conversations across different channels that might contain very sensitive information or intellectual property. It also might contain sensitive files shared between its users. 

Yet financially motivated cybercriminals can also benefit from Teams, since they might be able to catch interesting data inside Teams, which might allow them to commit more fraud, like obtaining credit card information for example.

The attackers are said to begin with targeted spear phishing emails that contain malicious links. If those are clicked on by members of organizations using.

When an attacker is trying to access a company’s enterprise resource planning system, the only thing needed for access is valid credentials for one of the employees. A common way to gain such credentials is by running a phishing campaign on users that are in the target organization.

Once an attacker has gained access to a victim’s email account, they can log in via Microsoft Teams and then use the feature that allows users to import documents from other sources. 

The attacker can then upload an HTML document that contains malicious JavaScript and link it to another document that will run when opened by other employees who have access to it.

Attacks may also be carried out against users by purchasing valid credentials from an initial access broker or through social engineering.

Users infected via Teams

The attacker can directly access all confidential communication channels between employees, customers and partners. In addition, the attackers are also able to read and manipulate private chats.

The attacks come in the form of malicious emails that contain an image of an Invoice document. This image contains a maliciously crafted hyperlink that is invisible to the naked eye but is active when clicked.

Microsoft Teams has seen thousands of attacks every now and then. The attacker drops executable malicious files into different Teams conversations. These files are trojans and can be very malicious to computer systems. 

Once the file is installed on your computer, the computer can be hijacked to do things that you didn’t intend it to do.

We do not know what the attackers’ ultimate goal is. We can only suspect that they want to get more information about their target, or full access to computers in the targeted network. 

This knowledge might have given them the ability to pull off some kind of financial fraud or cyberespionage.

No link detection

What makes Microsoft Teams vulnerable is that its infrastructure is not built with security in mind. As such, it does not have a malicious link detection system and only has a common virus detection engine.

Because users tend to trust what’s on the platform their companies provide, they can be vulnerable to sharing malware and getting infected.

A surprising level of trust makes users feel safe about using a new platform. Users can be much more generous with their data than they usually would be.

Attackers can not only trick people by putting infecting files or links into chat channels, but they might also send private messages to users and trick them with social engineering skills.

Most users will not care about saving the files on their hard drives and running antivirus or threat detection products on them before opening the files.

The number of cyber-attacks on a daily basis will continue to increase as more organizations become involved in this type of activity. 

Protection plan

For starters, users should take precautions to protect their email addresses, usernames and passwords.

In order to help address the Team structure threat, it is suggested that you;

• Enable two-step verification on the Microsoft accounts you use for Teams.
• If files are dropped on the Teams folders, add more security to those files. Send their hashes to VirusTotal to make sure they aren’t malicious codes.
• Add extra security for links shared on Teams and make sure to use reputable link-checking services.
• Make sure employees are aware of the risks involved in using communication and sharing platforms.

Is your organization using Microsoft teams? Has anyone experienced cyberattacks on the platform? Share your views in the comments section.