An initial access broker associated with the Payouts King ransomware group is using Microsoft Teams phishing to deploy a malicious Microsoft Edge web browser extension, according to researchers at Zscaler. Once the hackers have a foothold within an organization, they sell the access to the ransomware gang to conduct follow-on attacks.
“In recent attacks, the threat actor leverages social engineering tactics paired with an innovative malware delivery mechanism,” the researchers write. “The technique utilizes a malicious Microsoft Edge browser extension that exploits the Chrome native messaging protocol to interact with host-native applications beyond the confines of the browser sandbox. By abusing this interface, the attackers gain direct host access, enabling them to manipulate the local filesystem, launch processes, and execute arbitrary code on the compromised host.”
The attackers begin by sending the victim a Teams message that impersonates the organization’s IT staff, telling the user that they need a spam filter update. The user is sent to a fake Microsoft website with a series of buttons designed to install the malware, eventually requesting the victim’s Microsoft365/Outlook password.
“As threat actors like those affiliated with Payouts King continue to leverage social engineering, such as spam bombing and vishing, in tandem with innovative delivery mechanisms, organizations must adopt a defense-in-depth posture,” Zscaler says. “This includes robust monitoring of browser extension installations, strict control over native messaging host configurations, and comprehensive user training to recognize and report suspicious prompts, especially when they mimic legitimate IT administrative updates or management consoles.”
Zscaler has the story: Payouts King Ransomware Initial Access Broker Deploys New Edgecution Malware
