Microsoft Teams Group Chat – the next Phishing Attack Vector!
This week I have been contributing content to an informative (hopefully) ‘Phishing Guide’ which Fusion IT are going to be publishing for clients and prospective customers alike in Q1.
Looking at recent trends, Artificial Intelligence (AI) is going to make a significant impact on the quality of phishing attacks, plus Vishing, Deep Fakes and Quishing are becoming more prominent techniques to launch cyber attacks. However, yesterday I came across some new content regarding the use of Microsoft Teams as an attack vector to lure unsuspecting victims.
To elaborate, Microsoft Teams, a widely used collaboration platform with 280 million monthly Users, has recently become a focal point for cybercriminals deploying DarkGate malware through sophisticated phishing attacks. In essence, attackers exploit the default settings of Microsoft Teams to send malicious Group Chat invites, ultimately leading to the installation of DarkGate malware on victims’ systems.
What is DarkGate?
DarkGate is a sophisticated malware that can steal your credentials, encrypt your files, and download more malicious software on your system. It can also evade antivirus detection and removal by using various techniques, such as fileless execution, process hollowing, and code obfuscation.
How does the phishing attack work?
The phishing attack uses compromised Microsoft Teams accounts to send Group Chat requests to unsuspecting Users. The chat requests look like they come from a colleague or a partner, and they invite the recipient to join a discussion about “Navigating Future Changes October 2023”.
If Users accept the Chat request, they will see a message from the attacker that contains a link to download a file named “Navigating Future Changes October 2023.pdf.msi”. The file is actually an executable that installs DarkGate malware on the device.
The malware then connects to a command-and-control server at hgfdytrywq[.]com, which is part of the DarkGate infrastructure. The malware can then perform various malicious actions, such as stealing data, encrypting files, or installing other malware.
How can you protect yourself from this attack?
The best way to avoid this attack is to be vigilant and cautious when receiving unsolicited messages from external Teams users.
Here are some tips to help you:–
Check the sender’s email address and domain name carefully
If they look suspicious or unfamiliar, do not accept the Chat request or open the attachment. Always check the sender’s identity and domain, and avoid clicking on links or downloading files from unknown sources. Report any suspicious messages to the IT department, security team or Fusion IT.
Pay attention to the file extension of the attachment
If it has a double extension, such as “.pdf.msi”, it is likely a malicious executable file that can harm your system. You should scan it with a reputable antivirus software and remove any detected threats. You should also change your passwords and monitor your online accounts for any unauthorised activity. Again, consult with Fusion IT on this or for any assistance.
Disable External Access in Microsoft Teams if you do not need it for your daily business use
This will prevent external Teams users from messaging you or inviting you to Chats. You can find this setting in the Microsoft Teams admin centre under Org-wide settings > External access. This setting is enabled by default, but it can be changed by the Teams administrator. Unless you need to communicate with external Teams users regularly, it is safer to disable this feature and use email instead. Contact Fusion IT for assistance on this, if you’re unsure.
Educate yourself and your colleagues about the common signs and methods of phishing attacks
You can find more information and resources on the Microsoft Security website or, alternatively, get in touch with Fusion IT for more personal expert advice. Training end-users is also crucial in the fight against phishing attacks. Users should be educated to scrutinise unsolicited messages and be reminded that phishing can manifest in various forms beyond the traditional email-based attacks.
Summary
Microsoft Teams is a popular and useful collaboration tool, but it can also be exploited by cybercriminals who want to deliver malware and steal data. By disabling External Access, educating your users, and scanning your devices regularly, you can protect yourself and your organisation from this new phishing attack.
I hope this blog post was helpful and informative and should you have any questions, please do not hesitate to get in touch.
Stay safe and secure online!
Thanks
Richard
