Hackers are actively using Microsoft Teams for phishing and malware distribution

Microsoft Teams is a popular communication and collaboration platform for businesses. However, researchers from the company Proofpoint discovered several ways in which attackers can misuse Teams functionality to phish or deliver malware to targeted computers.

One way is to use tabs in the Teams interface. Tabs can point to apps, websites, and files. For example, the standard Files tab is associated with SharePoint and OneDrive. Users can create their own tabs by pinning certain domains there.

Attackers can do the same with a malicious domain. For example, create a tab pointing to a malicious URL, rename it “Files” and move it to replace the legitimate “Files” tab in the user’s chat window.

In addition, cybercriminals can even indicate that a malicious file is being downloaded by clicking on the tab. If the victim is using Teams via the desktop or web client, Teams will automatically download the file to the user’s device without any prompts.

Another way Teams can be compromised is by changing links in meeting requests as well as in chat messages. Using API calls, an attacker can replace automatically generated meeting links in calendar invitations or hyperlinks in chat messages with malicious ones.

It is important to note that all of the described scenarios require attackers to have a compromised account or session token. But as the researchers note, attackers have long targeted corporate Teams environments, so getting the necessary access is the least obstacle for hackers.

According to the report According to Proofpoint, about 60% of organizations using Microsoft 365 experienced at least one successful account hijacking incident in 2022. And Teams has become the tenth most popular compromise app.

The consequences of compromising a business platform such as Microsoft Teams can be quite high, and highly sensitive information and documents are often shared there. “We have seen thousands of organizations experience a Teams takeover. This has led to financial fraud, brand abuse, sabotage, data theft and other risks. According to several studies, the average cost of an account hijacking cyber incident can range from several thousand to several million dollars,” Proofpoint experts noted.

The researchers note that it is quite easy to protect yourself from such attacks, you just need to focus on “strengthening security measures to prevent automatic redirection to unwanted sites and to block automatic file downloads.”

Microsoft also commented on the Proofpoint report, writing the following: “Microsoft encourages users to adhere to security best practices in Microsoft Teams and to adopt industry standards for data protection best practices, including using the Zero Trust and adopting effective strategies for managing security updates, antivirus updates, and authentication.”