Watch out – this devious Microsoft Teams phishing campaign could infect your PC

Teams
(Image credit: Microsoft)

Experts have warned Microsoft Teams messages are being used as a vector for a new phishing campaign designed to dupe users into downloading an attachment containing malware.

The malicious messages have been detected being sent from several compromised Office 365 accounts containing a ZIP file called "changes to the vacation schedule."

Clicking on this will download the file from a SharePoint URL. Inside the compressed file is what looks like a PDF file, but is actually a LNK file which itself contains dangerous VBScript that leads to the malware, known as DarkGate, being installed.

DarkGate

Cybersecurity firm Truesec launched an investigation into the phishing campaign and found that the download makes use of Windows cURL to fetch the malware's code, with the script being pre-compiled and the dangerous elements hidden in the middle of the file, in order to evade detection.

The script also checks to see whether popular antivirus solution Sophos is installed on the victim's endpoint. If it isn't, then additional code is unmasked and shellcode is launched to trigger the DarkGate executable and load it into the system memory. 

This is not the first time Microsoft Teams messages have been a cause for concern. Recently, a bug was found which allowed messages from external accounts to be received into an organization's inbox, which is not supposed to happen. It looks as if this new DarkGate campaign is making use of this flaw. 

Microsoft has not addressed the flaw directly; all it has done is recommend that organizations make allow-lists in Teams so that only certain external organizations can communicate with them, or else disable external communications altogether.

DarkGate has been around since 2017, but its use has been restricted to only a handful of cybercriminals against specific targets. It is a powerful and all-encompassing tool, capable of stealing files, browser data, and clipboard contents, as well as cryptomining, keylogging and remote control of endpoints. 

More from TechRadar Pro

Lewis Maddison
Staff Writer

Lewis Maddison is a Staff Writer at TechRadar Pro. His area of expertise is online security and protection, which includes tools and software such as password managers. 


His coverage also focuses on the usage habits of technology in both personal and professional settings - particularly its relation to social and cultural issues - and revels in uncovering stories that might not otherwise see the light of day.


He has a BA in Philosophy from the University of London, with a year spent studying abroad in the sunny climes of Malta.