Hackers Targeting Microsoft Team Users: The Scam And Prevention Steps

Security researchers at the Check Point company Avanan warn that cybercriminals are hacking Microsoft Teams accounts and dropping malicious executable files into conversations in order to infect participants' devices with malware.

The attacks began in January 2022. Microsoft Teams detected thousands of attacks that month, mostly at organizations, particularly media outlets, in the Great Lakes region of the U.S.

Hackers drop a malicious Trojan document into the chat thread. A user can easily pretend to be an organization's CEO, CFO, of IT help desk on Microsoft Teams. If a participant clicks on the document, the Trojan will run.

After it is executed, the malware writes data into the system registry and establishes persistence on the Windows device. The malware collects detailed information about the operating system, the hardware it runs on, the OS version, and the patches installed. This tells cybercriminals the security state of the device.

It is still unknown how cybercriminals are getting access to Teams accounts, but experts believe they may be using phishing scams or compromising a partner organization to steal email or Microsoft 365 credentials.

Researchers at Avanan say the attack is efficient because "many users trust files received over Teams." The organization's analysis of data from hospitals found that doctors are sharing medical information unrestricted over Microsoft Teams.

Although users have been trained to be cautious of links and documents in email, they show no similar caution concerning files received through Teams. Many users approve requests because they are less familiar with Teams, researchers say.

In addition, according to the researchers, Teams lacks default protections, with only limited scanning for malicious links and files. Many email security solutions also fail to properly address Teams security.

Avanan recommends implementing cybersecurity software that downloads all files in a sandbox and inspects them for malware; securing all lines of business communications, including Teams; and encouraging users to ask IT about unfamiliar files. Ionut Ilascu "Hackers slip into Microsoft Teams chats to distribute malware" www.bleepingcomputer.com (Feb. 17, 2022).


Cybercriminals have focused on Microsoft Team as a new channel for malware distribution because it is not well protected, and users are not yet cautious about files shared through Teams. Protect yourself from this new method of malware distribution by never assuming a document shared in Teams is safe, or that someone on Teams is who they say they are.

Knowing the methods cybercriminals use to spread malware can help protect you from a malware infection.

Phishing emails are one of the most common methods of malware distribution. In phishing campaigns, cybercriminals try to trick users into opening attachments or clicking on links in emails that will install malware on their device.

Protect yourself from this method of malware distribution by never clicking on unknown links or attachments in emails, no matter whom the email claims to be from.

Another increasingly common method of malware distribution is using Remote Desktop Protocol (RDP) to infect a device. RDP is intended to allow information technology staff to access employees’ computers but can be exploited by hackers to remotely access a device and infect it with malware.

Protect yourself from this method by keeping your software updated; using strong, unique passwords and multifactor authentication; and limiting who has access to your device.

Finally, cybercriminals also frequently spread malware through drive-by downloads, which occur when a user visits a compromised website. Avoid this malware distribution method by only visiting safe, legitimate websites that display the lock symbol and typing in all web addresses yourself rather than clicking on links to sites.

Finally, your opinion is important to us. Please complete the opinion survey: