Microsoft Teams is not the safe haven you think it is

Microsoft Teams
(Image credit: Shutterstock / monticello)

Cybercriminals are capitalizing on the popularity of collaboration platform Microsoft Teams to infect victims with malware, a new report suggests.

According to security firm Avanan, there has been a spike in the number of cyberattacks taking place over Microsoft Teams since the turn of the year.

Specifically, attackers are using Teams chats and channels to spread malicious executable (.exe) files throughout organizations.

In the report, Avanan is critical of the protections afforded by Microsoft Teams, which is described as “lacking” in its approach to scanning for malicious files and links. TechRadar Pro has asked Microsoft for a response to this critique.

Microsoft Teams attacks

Given services like Slack and Microsoft Teams are closed ecosystems, designed to be accessible only to members of a specific organization and a select pool of guests, users can be forgiven for assuming these digital spaces are safe from attackers.

However, Avanan’s research demonstrates that cybercriminals are more than capable of invading these private systems. And once inside, the potential to cause widespread damage is large.

As the report explains, attackers begin by gaining access to a company’s Microsoft Teams domain, either using credentials already exposed online or by stealing passwords via phishing attacks.

After breaking into a Teams domain, they are then free to deliver malicious files to any member of the organization, either via one-on-one chats or group channels.

In the specific instance highlighted by Avanan, the attackers distribute an executable file entitled “User Centric”, which the researchers suppose it designed to sound innocuous. Once opened, the executable establishes the ability to self-administer, effectively handing control of the machine to the attackers.

To defend against these kinds of threats, Avanan advises Microsoft Teams customers to implement a system whereby all files are downloaded in a sandbox environment, where they can be inspected for malicious content. 

Beyond that, businesses are advised to deploy a comprehensive security suite and deliver cybersecurity training that will equip employees with the skills to identify suspicious files delivered over Microsoft Teams. 

Update: February 18
A Microsoft spokesperson has since responded to our request for comment with the following statement:

"This marketing report describes a known technique where a user’s email account must already be compromised. We offer a default layer of protection that includes malware scanning for shared files and we encourage all customers to investigate and implement additional layers of protection and apply best practices depending on their unique needs."

"We're continually evaluating the effectiveness of our platform at combating this kind of abuse, and investing to provide better protection where threat actors find weaknesses."

Joel Khalili
News and Features Editor

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.