AT&T researchers discovered a clever phishing campaign. This campaign intercepted a Microsoft Teams chat group. It then sent DarkGate malware to the systems of unsuspecting victims. While many individuals are now somewhat familiar with the mechanics of phishing attacks, using a team chat as the delivery mechanism represents a novel and unexpected method.
Once the attackers had infiltrated the Teams chat, they utilised a domain ending in .onmicrosoft.com to send phishing emails. These emails tricked users into downloading a file that appeared legitimate but was, in fact, malicious.
Researchers found attackers used a hacked domain to send 1,000 harmful invitations to Teams group chats. During the chat, the attackers tricked the invitees into downloading a file called 'Navigating Future Changes October 2023.pdf.msi'.
Accepting this file prompted the malware download, which subsequently connected to its command-and-control server at hgfdytrywq[.]com for further instructions.
The attack was successful because users had enabled External Access in Microsoft Teams. This feature allowed them to send messages to users in other groups. Researchers have stated this as the reason for the attack's success.
After the Qakbot botnet was disrupted in August, cybercriminals have noticed a noticeable shift towards using the DarkGate malware loader as their primary tool for initial penetration into corporate networks.
These criminals utilise a range of tactics, such as phishing and malversating, to distribute malware. DarkGate has the ability to evade detection by Windows Defender, extract browser history, and hijack Discord tokens.
Email phishing attacks have been a longstanding menace to organisations and show no signs of abating. However, phishing through Microsoft Teams represents a relatively novel challenge. This method of attack underscores the critical importance of continuous vigilance and ongoing user education to combat emerging cyber security threats.
Disabling External Access in Microsoft Teams is wise for most organisations unless it is essential for everyday business operations. Email tends to be a more secure and thoroughly scrutinised method of communication. It's crucial for end users to remain alert to the origins of unexpected messages, recognising that phishing attempts can manifest in various forms, not just through traditional emails. The key takeaway is that not every message, even from seemingly familiar platforms, is safe or trustworthy.
At Silver Lining, we provide cutting-edge phishing simulation and training software to keep your workforce ahead of the latest trends and hacker tactics. We aim to arm your team with the knowledge and skills to prevent becoming the next target. Discover how we can fortify your defences by visiting our dedicated page below.
