Phishing attacks on MS Teams propagate the DarkGate malware

Threat actors have an ongoing phishing operation that exploits Microsoft Teams to propagate DarkGate malware.

Based on reports, the malicious operation targets MS Teams with phishing attacks to compromise Teams users or domains to deploy over 1,000 hostile Teams group chat invites, creating a significant cybersecurity challenge.

Subsequently, once the attack deploys the DarkGate malware, it connects with its command-and-control server at hgfdytrywq[.]com. Researchers confirmed this server’s association with the notorious DarkGate malware infrastructure, highlighting the severity of the newly discovered operation.

The phishing campaign uses the default setting in MS Teams, allowing external users to message users from other tenants, providing a gateway for cybercriminals.

 

Users should disable the External Access in MS Teams to mitigate the impact of this new DarkGate malware operation.

 

According to investigations, users should turn off the External Access in Microsoft Teams unless necessary for daily business use to avoid the threat of the DarkGate malware.

Researchers stated the inherent risks in relying on Microsoft Teams for communication, urging organisations to prioritise more secure and closely monitored channels like email.

Microsoft Teams currently has a user base of 280 million monthly users; hence, various threat actors see the platform as a profitable target. The DarkGate operators exploit the platform’s popularity by infiltrating organisations where admins have neglected to secure tenants by turning off the External Access setting.

This incident is similar to a previous campaign in the past year, where the hackers propagated the DarkGate malware through compromised external Office 365 and Skype accounts. The campaign employed VBA loader script attachments to breach unsuspecting targets.

Furthermore, this revelation also reminded experts about the incident where the APT29 threat group exploited Microsoft Teams. This Russian-backed threat group utilised the publicly available tool TeamsPhisher to breach corporate networks and target dozens of organisations globally, including government agencies.

The surge of phishing attacks against Microsoft Teams shows organisations the importance of remaining vigilant and continuously updating their security protocols. As the threat landscape evolves, users must stay informed about these malicious campaigns to protect their infrastructure and companies.