Hackers leveraging Teams to drop malware, steal data, Microsoft warns
Microsoft has warned about hackers taking advantage of its collaboration platform, Teams. Attackers use Teams to gather information, trick users into sharing sensitive data, impersonate trusted sources, deliver malware through messages and calls, and even steal credentials, exfiltrate data, and maintain persistence.
For the actual compromise and initial access, hackers need to deliver information-stealing malware, which leads to credential theft, extortion, and ransomware. Teams is a useful medium for tech support scams, which remain popular for malware delivery, but hackers are always coming up with new variants. Microsoft noted the rise in email bombing (sending large volumes of emails) to create a sense of urgency.
Some of the previous examples of how threat actors delivered ransomware or other malware via Teams include: Storm-1674, an access broker, has used sophisticated red teaming tools, like TeamsPhisher, to distribute DarkGate and others. A threat actor impersonated a client during a Teams call to persuade a target to install the remote access tool AnyDesk, which was later used to deploy malware. Hackers can direct users on Team to malicious websites. Widely available admin tools, such as AADInternals, could be leveraged to deliver malicious links and payloads directly into Teams. Malicious ads in search results misdirect users to fake download sites hosting credential-stealing malware, spoofing Teams.
Even when compromises were detected, attackers used Teams for persistence by stealing accounts, adding guest accounts, and hacking features such as shortcuts in the Startup folder to execute malicious tools or Sticky Keys.
“Apart from admin accounts, which are an attractive target because they come with elevated privileges, threat actors try to trick everyday Teams users into clicking links or opening files that lead to malicious code execution, just like through email,” the researchers explain.
Read the complete article here.
👉 Apply for our next conference in Kuala Lumpur on December 9th and 10th, 2025 at this link with the passcode: “6f&%dX”, no quotes.