It's true — Microsoft Teams group chat requests can be bad for you, as hackers hijack them to spread malware
Default Microsoft Teams feature could put organizations at risk
Hackers are abusing a group chat feature in Microsoft Teams video conferencing software to deploy malware on people’s computers, researchers have warned.
Cybersecurity experts from AT&T Cybersecurity said that a threat actor was observed using either a compromised Teams user, or domain, to send more than 1,000 Teams group chat invites.
Anyone who accepts the invitation is served a file titled “Navigating Future Changes October 2023.pdf.msi” - and those with a sharp eye will notice that the file pretends to be a PDF, but is actually an MSI file - a Windows Installer package that delivers the DarkGate malware.
Human error
According to researchers from Trellix, DarkGate is a Remote Access Trojan (RAT) that was first discovered back in 2018. It enables attackers to fully compromise victim systems, and is sold as malware-as-a-service (MaaS), by a threat actor under the alias RastaFarEye.
The hackers were able to send so many invitations thanks to a feature that allows external Microsoft Teams users to message other tenants’ users by default.
"Unless absolutely necessary for daily business use, disabling External Access in Microsoft Teams is advisable for most companies, as email is generally a more secure and more closely monitored communication channel," AT&T Cybersecurity’s researcher Peter Boyle said in the announcement.
"As always, end users should be trained to pay attention to where unsolicited messages are coming from and should be reminded that phishing can take many forms beyond the typical email."
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
BleepingComputer claims that there had been similar DarkGate campaigns last year, when hackers abused compromised external Office 365 accounts and Skype accounts to send messages with a VBA loader script attached. The publication also claims that many threat actors turned to DarkGate after Quakbot’s demise. Microsoft Teams is currently one of the most popular communications and collaboration platforms in the world, with roughly 280 million active monthly users.
More from TechRadar Pro
- This growing malware threat actor is set to unleash a surge of attacks, experts warn
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.