Researchers at Truesec are tracking a phishing campaign that’s distributing the DarkGate Loader malware via external Microsoft Teams messages.
“On August 29, in the timespan from 11:25 to 12:25 UTC, Microsoft Teams chat messages were sent from two external Office 365 accounts compromised prior to the campaign,” the researchers write. “The message content aimed to social engineer the recipients into downloading and opening a malicious file hosted remotely.”
The phishing messages purported to come from the HR department regarding employee vacation schedule changes. Recipients were asked to open an attached ZIP file to see if their vacation plans had been canceled.
The messages stated, “Dear Colleagues, I regretfully have to inform you about unplanned changes in the vacation schedule due to unforeseen circumstances. As a result of a force majeure situation that we had to take into account, we have had to cancel the vacations of certain employees. I understand that such changes might impact your plans, and I apologize for any inconvenience this may cause.
Truesec notes that the attacks were thwarted because the targeted employees realized the messages were suspicious.
“This attack was detected due to the security awareness training of the recipients,” the researchers write. “Unfortunately, current Microsoft Teams security features such as Safe Attachments or Safe Links was not able to detect or block this attack. Right now, the only way to prevent this attack vector within Microsoft Teams is to only allow Microsoft Teams chat requests from specific external domains, albeit it might have business implications since all trusted external domains need to be whitelisted by an IT administrator.”
New-school security awareness training can give your organization an essential layer of defense by teaching your employees to recognize social engineering attacks.
Truesec has the story.