Share this article
Latest news
With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low
Copilot in Outlook will generate personalized themes for you to customize the app
Microsoft will raise the price of its 365 Suite to include AI capabilities
Death Stranding Director’s Cut is now Xbox X|S at a huge discount
Outlook will let users create custom account icons so they can tell their accounts apart easier
Microsoft Teams became a phishing highway for DarkGate malware
Don’t open any files from users outside your organization in Microsoft Teams!
3 min. read
Published onJanuary 31, 2024
published onJanuary 31, 2024
Share this article
Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more
According to acybersecurity threat reportfrom AT&T, the Microsoft Teams app chats are used to spread the DarkGate malware using phishing techniques.
The experts detected over 1.000 phishing messages from a single attacker in their investigation. This was possible because Microsoft enabled External Access to company chats by default and that allows anyone in the organization to add any users in chats, even if they are outsiders.
How does the Microsoft Teams DarkGate phishing attack work?
You’re one of the users in an organization when you suddenly get a message from someone you don’t know, asking you to install a file with a double extension such asfilename.pdf.msi. So, you might be tempted to think that it’s a PDF document from one of your colleagues, but in fact, it’s a known tactique for the DarkGate malware attack.
Although Microsoft Teams will alert you thatthe person is outside your org, the attacker seems a seemingly legitimate origin, coming from the.onmicrosoft.comdomain name.
An important detail to note here is the “.onmicrosoft.com” domain name. This domain, by all appearances, is authentic and most users would probably assume that it is legitimate. OSINT research on the domain also shows no reports for suspicious activity, leading the MDR SOC team to believe the username (and possibly the entire domain) was likely compromised by the attackers prior to being used to launch the phishing attack.
Once you click on the file and install the .msi file, the malware will connect the infected system to its command-and-control server fromhgfdytrywq[.]com, which,according to PaloAlto Networks, is a confirmed component of the DarkGate malware infrastructure.
How can I avoid getting infected with DarkGate in Microsoft Teams?
The External Access feature shouldn’t be enabled by default in Microsoft Teams and if it does, the system admins should configure the clients to ban the access of outside users from their organization chats.
Furthermore, as with any other phishing threats, the users in the organization have to be advised on how to react when this kind of events occur, whether it’s about Microsoft Teams or other company channels of communication.
Don’t accept any files from untrusted users, don’t open them and, most of all, don’t install them.
Right now,Microsoft 365 users are also targeted by phishing attacksso we also recommending to always be on alert.
Have you been the victim of a Microsoft Teams phishing attack or the DarkGate malware? Tell us all about it in the comments section below.
More about the topics:Cybersecurity,Microsoft Teams
Claudiu Andone
Windows Toubleshooting Expert
Oldtimer in the tech and science press, Claudiu is focused on whatever comes new from Microsoft.
His abrupt interest in computers started when he saw the first Home Computer as a kid. However, his passion for Windows and everything related became obvious when he became a sys admin in a computer science high school.
With 14 years of experience in writing about everything there is to know about science and technology, Claudiu also likes rock music, chilling in the garden, and Star Wars. May the force be with you, always!
User forum
0 messages
Sort by:LatestOldestMost Votes
Comment*
Name*
Email*
Commenting as.Not you?
Save information for future comments
Comment
Δ
Claudiu Andone
Windows Toubleshooting Expert
Oldtimer in the tech and science press, with 14 years of experience in writing on everything there is to know about science, technology, and Microsoft
