Advisory ID: NCC-CSIRT-050224-003
Summary:
Researchers from AT&T Cybersecurity have discovered new phishing attacks exploiting Microsoft Teams group chat requests to distribute malicious attachments. These attachments install DarkGate malware payloads on the systems of unsuspecting victims. The operators of DarkGate take advantage of Microsoft Teams to execute these attacks, focusing on organizations where administrators have not secured their tenants by disabling the External Access setting.
Threat Type(s): Phishing
Impact/Vulnerability: HIGH/CRITICAL
Product(s): Microsoft Teams.
Platform(s): Microsoft Teams Group Chat
Version(s): All Versions.
Description:
The researchers uncovered that the perpetrators utilized what appears to be a compromised Teams user (or domain) to dispatch over 1,000 malicious Teams group chat invitations. This exploit became feasible due to Microsoft's default enabling of External Access to company chats, granting anyone within the organization the ability to add users to chats, even if they are external to the organization.
Upon acceptance of the chat invitation by the targets, the malicious actors deceive them into downloading a file with a double extension, cleverly named 'Navigating Future Changes October 2023.pdf.msi' a common tactic employed by DarkGate. Once the malware is installed, it establishes communication with its command-and-control server, a component already verified as part of the DarkGate malware infrastructure. This phishing attack is facilitated by Microsoft's default setting, allowing external Microsoft Teams users to message users from other tenants.
Consequences:
Deployment of DarkGate malware payloads along with the phishing impacts.
Solution:
- Exercise caution regarding file sharing by refraining from accepting or opening files from untrusted sources and avoid installation of such files altogether.
- Organization should disable External Access in Microsoft Teams.
- End users should always be trained to pay attention to where unsolicited messages are coming from and should be reminded that phishing can take many forms beyond the typical email. Phishing attack is a type of cyber-attack where attackers impersonate legitimate entities to deceive individuals into providing sensitive information such as passwords, financial details, or personal data, often through deceptive emails, messages, or websites.
https://www.bleepingcomputer.com/news/security/microsoft-teams-phishing-pushes-darkgate-malware-via-group-chats/
https://windowsreport.com/microsoft-teams-darkgate-phishing-attacks/
https://cyber.vumetric.com/security-news/2024/01/30/microsoft-teams-phishing-pushes-darkgate-malware-via-group-chats/