Fake Teams site delivers Oyster malware via SEO poisoning and deceptive ads

Spoofed page mimics Microsoft’s design, tricking users into downloading malware

Best defense: type known URLs directly, avoid relying solely on search results

If you’re looking to install the Microsoft Teams platform, be very careful how you navigate to the downloads page, as experts have warned of a new malicious campaign tricking people into downloading malware instead.

Security researchers from Blackpoint SOC recently discovered a fraudulent Microsoft Teams downloads page hosted at teams-install[.]top. It looks almost identical to the legitimate Microsoft site, with the color, design, and fonts, all resembling the actual site.

However, instead of downloading the popular communications platform, victims are served the Oyster backdoor, a known piece of malware that grants the attackers full access to the compromised endpoint.

SEO poisoning and malvertising

The site is optimized for search engines, a practice known as “SEO poisoning”. People searching for “teams download” (and probably a few other keywords) will find the spoofed site at the top of their search results, right next to the legitimate one.

If a user is not careful, it is quite easy to end up on the wrong site and download malware instead of the actual program.

To make things worse, the attackers also managed to set up a few ads on the internet, which also seem to appear at the top of the search engine results page.

SEO poisoning and malvertising campaigns like this one work well because searching for known sites and programs, instead of typing the address in the browser’s address bar is a rather common behavior.

Many users treat Google as their “front door” to the internet. For example, in 2024, YouTube was the most searched term on Google worldwide, closely followed by WhatsApp Web.

In the United States, Amazon led the search trends after YouTube. All these platforms are globally recognized and can all be accessed by typing their .com domain in the browser.

This is also the best way to defend against SEO poisoning and malvertising - don’t blindly trust search engine results, and navigate to as many sites as you can - directly through your browser.

