Microsoft Teams continues to grow in popularity. Teams counts 270 million monthly active Teams users; that's up a tidy 20 million from July 2021.

As this popularity grows, hackers will continue to increase how often they target it as a launchpad for phishing and malware attacks.

Starting in January 2022, Avanan observed how hackers are dropping malicious executable files in Teams conversations. The file writes data to the Windows registry, installs DLL files and creates shortcut links that allow the program to self-administer. Avanan has seen thousands of these attacks per month. In this attack brief, Avanan will analyze how these .exe files are being used by hackers in Microsoft Teams. 

Attack

In this attack, hackers are attaching .exe files to Teams chats to install a Trojan on the end-user’s computer. The Trojan is then used to install malware. 

  • Vector: Microsoft Teams
  • Type: Malicious Trojan File 
  • Techniques: .exe files
  • Target: Any end-user

 

Email

In this attack, hackers are hacking into Teams, which can be done with East-West attacks that start via email, or by spoofing a user. Then, the threat actor attaches a .exe file called “User Centric” to a chat. This file is a Trojan, which will then install DLL files and create shortcut links to self-administer.

 

Email Example #1

When the user opens the file, this is what happens:

 





When clicking on the file, it begins to download and install as a Windows program. However, despite the file’s generic name, it is indeed a malicious file. 

 

Email Example #2

The .exe file, as analyzed by Check Point’s Sandblast, is malicious:

This overview shows the dangers associated with the file, as well as how it works.

 

Techniques

In this Teams attack, which Avanan has seen thousands of, hackers have attached a malicious Trojan document to a chat thread. When clicked on, the file will eventually take over the user’s computer. Using an executable file, or a file that contains instructions for the system to execute, hackers can install malicious file libraries (DLL files) that allow the program to self-administer and take control over the computer.

By attaching the file to a Teams attack, hackers have found a new way to easily target millions of users.

The first step is accessing Teams. Hackers have a number of ways of doing that. They can compromise a partner organization and listen in on inter-organizational chats. They can compromise an email address and use that to access Teams. They can steal Microsoft 365 credentials from a previous phishing campaign, giving them carte blanche access to Teams and the rest of the Office suite. Given that hackers are quite adept at compromising Microsoft 365 accounts using traditional email phishing methods, they’ve learned that the same credentials work for Teams.

Beyond that, once inside an organization, an attacker usually knows what technology is being used to protect it. That means they will know what malware will bypass existing protections. 

Compounding this problem is the fact that default Teams protections are lacking, as scanning for malicious links and files is limited. Further, many email security solutions do not offer robust protection for Teams. Hackers, who can access Teams accounts via East-West attacks, or by leveraging the credentials they harvest in other phishing attacks, have carte blanche to launch attacks against millions of unsuspecting users. 

Further, end-users have an inherent trust of the platform. For example, an Avanan analysis of hospitals that use Teams found that doctors share patient medical information practically with no limits on the Teams platform. Medical staff generally know the security rules and risk of sharing information via email, but ignore those when it comes to Teams.s. Further, nearly every user can invite people from other departments and there is often minimal oversight when invitations are sent or received from other companies. Because of the unfamiliarity with the Teams platform, many will just trust and approve the requests. Within an organization, a user can very easily pretend to be someone else, whether it's the CEO, CFO or IT help desk. 

Most employees have been trained to second-guess identities in email, but few know how to make sure that the name and photo they see in a Teams conversation are real. It is simple to edit a profile and become most anyone you like.

So when someone attaches a file to a Teams chat, particularly with the innocuous-sounding file name of “User Centric”, many users won’t think twice and will click on it. 

This attack demonstrates that hackers are beginning to understand and better utilize Teams as a potential attack vector As Teams usage continues to increase, Avanan expects a significant increase in these sorts of attacks.

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Implement protection that downloads all files in a sandbox and inspects them for malicious content
  • Deploy robust, full-suite security that secures all lines of business communication, including Teams
  • Encourage end-users to reach out to IT when seeing an unfamiliar file


Subscribe to Our Attack Briefs for More Research