According to Bleeping Computer, ransomware operators are using malicious fake ads for Microsoft Teams updates to infect systems. The infection would deploy Cobalt Strike to compromise the rest of the network.
The organizations targeted range from various industries, with a recent focus on the education sector (K-12 specifically), which depends on a remote environment due to COVID-19. In a non-public security advisory, Microsoft is warning its customers about these FakeUpdates campaigns, offering recommendations that would lower the impact of the attack via its Defender ATP service.
The fake ads that lured unsuspected users was made possible by interfering with the search engine results through malicious online advertisements. In an example attack Microsoft detected, the bad guys purchased a search engine ad that caused the top results for Teams software to direct to a malicious domain.
Clicking on the link downloaded a payload that executed a PowerShell script to retrieve more malicious content. It also installed a legitimate copy of Microsoft Teams on the system to keep victims unaware of the attack.
It's important to make sure your users are aware of any potential warning signs. New-school security awareness training can prepare your users to stay alert and report any malicious activity.
Bleeping Computer has the full story.