Hackers are abusing a group chat feature in Microsoft Teams video conferencing software to deploy malware on people’s computers, researchers have warned.
Cybersecurity experts from AT&T Cybersecurity said that a threat actor was observed using either a compromised Teams user, or domain, to send more than 1,000 Teams group chat invites.
Anyone who accepts the invitation is served a file titled “Navigating Future Changes October 2023.pdf.msi” and those with a sharp eye will notice that the file pretends to be a PDF, but is actually an MSI file a Windows Installer package that delivers the DarkGate malware.
Human error
According to researchers from Trellix, DarkGate is a Remote Access Trojan (RAT) that was first discovered back in 2018. It enables attackers to fully compromise victim systems, and is sold as malwareasaservice (MaaS), by a threat actor under the alias RastaFarEye.
The hackers were able to send so many invitations thanks to a feature that allows external Microsoft Teams users to message other tenants’ users by default.
“Unless absolutely necessary for daily business use, disabling External Access in Microsoft Teams is advisable for most companies, as email is generally a more secure and more closely monitored communication channel,” AT&T Cybersecurity’s researcher Peter Boyle said in the announcement.
“As always, end users should be trained to pay attention to where unsolicited messages are coming from and should be reminded that phishing can take many forms beyond the typical email.”