AT&T researchers have come across a phishing attack that leveraged the Microsoft Teams chat group to push DarkGate malware onto victims’ systems. The attackers used a domain named .onmicrosoft.com to send phishing messages, tricking users into downloading a deceptive file.

Here’s how it works

  • According to researchers, attackers utilized the compromised domain to send out more than 1,000 malicious Teams group chat invites. 
  • Once recipients accepted the chat request, the attackers would persuade them to download a file with a deceptive double extension: 'Navigating Future Changes October 2023.pdf.msi.’
  • This triggered the download of the malware that received additional commands from its command-and-control server at hgfdytrywq[.]com.

Researchers noted that the attack succeeded because users had enabled External Access in Microsoft Teams users to message users in other tenants by default.

Surge in DarkGate malware attacks

  • Following the disruption of the Qakbot botnet in August, cybercriminals have been observed increasingly relying on the DarkGate malware loader as their primary method for gaining initial access to corporate networks. 
  • Cybercriminals employ various methods, including phishing and malvertising, to deliver malware. 
  • DarkGate is capable of bypassing Windows Defender, stealing browser history, and pilfering Discord tokens.

Final words

As the latest attack relies on email phishing attacks to deploy the malware, users are advised to pay attention to unsolicited messages that ask them to download files. Moreover, it is recommended to disable External Access in Microsoft Teams unless it is necessary for daily business use.
Cyware Publisher

Publisher

Cyware