Thousands of attacks include threat actors attaching executable files to Teams conversations.

With over 270 million active monthly users, Teams is one of the more popular office communication tools. Recent research by Avanan shows that threat actors are well aware of that.

Starting January 2022, cybercriminals began dropping malicious .exe files in Teams conversations to infect victims’ devices with trojans.

According to the researchers, the executable file writes data to the Windows registry installs DLL files, thus allowing the program to self-administer.

Usually, the attack starts via email or by spoofing a user. The victim receives an .exe file titled “User Centric” via Teams chat. The file is a disguised trojan.

“When clicking on the file, it begins to download and install as a Windows program. However, despite the file’s generic name, it is indeed a malicious file,” Avanan’s Jeremy Fuchs wrote in a blog post.

Researchers have also observed threat actors attacking a malicious Trojan document to a chat thread. If opened, the file will eventually take over the computer.

To deploy the malware over Teams chat, threat actors first need to access the program. According to Fuchs, cybercriminals can do that by compromising a partner organization or an email address.

“They can steal Microsoft 365 credentials from a previous phishing campaign, giving them carte blanche access to Teams and the rest of the Office suite,” Fuchs writes.

Interestingly, attackers usually know what protections businesses use and write malware specifically to bypass any defenses.The blog post notes that Team protections are lacking, as there is only limited scanning for malicious links and files.

“Hackers, who can access Teams accounts via East-West attacks, or by leveraging the credentials they harvest in other phishing attacks, have carte blanche to launch attacks against millions of unsuspecting users,” Fuchs claims.

Earlier this month exploit trader Zerodium – which pays out fees to hackers who find weaknesses in cybersecurity systems so it can sell them on at a profit – has raised its reward for special malware that targets users of Microsoft Outlook.

More worryingly for users of the software giant, the malware – known as zero-click – does not require victims to click on infected links or fall for fake emails.


More from CyberNews:

If privacy is your crown jewel, why do you exchange it for shiny objects then?

Top cybersecurity threats of 2022: report

Initial access brokers have established themselves as a pillar of cybercrime in 2021

The wide adoption of IoT technology is creating additional risks for users

Nation-state actor suspected behind the Red Cross attack

Subscribe to our newsletter