Security researchers have recently warned that hackers are compromising Microsoft Teams accounts to access chats and spread malicious executable files and programmes to participants in the conversation.

Over a quarter of a million users rely on Microsoft Teams every month with many of these trusting the platform implicitly, despite the absence of protections against malicious files.

Simple but efficient method

Researchers found that hackers started to drop malicious executable files in conversations on Microsoft Teams communication platform. The attacks started in January and there has been thousands of them. From the data available, most attacks were recorded at organisations in the Great Lakes region in the U.S., with local media outlets being a particular target.

The perpetrator inserts an executable file called “User Centric” into the chat to trick the user into running it. Once executed, the malware writes data into the system registry installs Dynamic Link Libraries (DLLs) and establishes a presence on the Windows machine. Basically, it takes over the computer.

The method used to gain access to Teams accounts remains unclear, but some possibilities include stealing credentials for email or Microsoft 365 via phishing or compromising a partner organization.

Automatic analysis of the malware distributed this way shows that the trojan can establish persistence through Windows Registry Run keys or by creating an entry in the start-up folder.

It also collects detailed information about the operating system and the hardware it runs on, along with the security state of the machine based on the OS version and the patches installed.

Excessive trust

Although the attack is quite simple, it may also be very efficient because many users trust files received over Teams, researchers say.

Recent analysis of data from hospitals in the US that use Teams and found that doctors use the platform to share medical information unrestricted.

While individuals are typically suspicious of information received over email, due to email phishing awareness training, they exhibit no caution with files received over Teams.

Moreover, Teams provides guest and external access capabilities that allow collaboration with people outside the company. These invitations are usually met by minimal oversight.

The researchers say that the issue is aggravated by the fact that default Teams protections are lacking, as scanning for malicious links and files is limited and many email security solutions do not offer robust protection for Teams.

This problem is only happening to Teams, at the moment. But it’s a potential risk with any similar system.

At Trichromic we take Cybersecurity very seriously and to defend against these attacks, we recommend the following:

  • Implement protection that downloads all files in a sandbox and inspects them for malicious content
  • Deploy robust, full-suite security that secures all lines of business communication, including Teams
  • Encourage end-users to reach out to us when seeing an unfamiliar file

In addition, we recommend you request a complementary in-depth IT consultation with one of our expert Trichromic Partner. This review will:

  • Scope out the business challenges you’re facing
  • Review your software, devices, red tape, cybercrime vulnerabilities and team performance
  • Provide a tailored IT Action Plan
  • Give you clarity on why and when you should fix, improve, or manage existing systems

If you would like to speak with one of our team to get a better understanding of the challenges you are facing and what you can do to mitigate them, please call us on:

020 3327 0310

Or send us an enquiry via our website at: