Microsoft Teams

New phishing attacks are using Microsoft Teams group chat requests to distribute malicious attachments that install DarkGate malware on victims’ systems.

According to AT&T Cybersecurity research, attackers have sent over 1,000 malicious Teams group chat invites using what appears to be a compromised Teams user (or domain).

Once the targets accept the chat request, the threat actors trick them into downloading a file with a double extension named ‘Navigating Future Changes October 2023.pdf.msi,’ a common DarkGate tactic.

After installation, the malware connects to its command-and-control server at hgfdytrywq[.]com, a confirmed part of the DarkGate malware infrastructure.

This phishing attack is possible because Microsoft allows external Teams users to message other tenants’ users by default.

AT&T Cybersecurity network security engineer Peter Boyle advises disabling External Access in Microsoft Teams for most companies, unless absolutely necessary for daily business use. He also recommends training end users to be vigilant about unsolicited messages and to understand that phishing can take many forms beyond email.

Teams group chat phishing
Teams group chat phishing (upscaled for legibility)
Image: AT&T Cybersecurity

Due to its massive user base of 280 million monthly users, Microsoft Teams has become an attractive target for threat actors. DarkGate operators exploit this by pushing their malware through Microsoft Teams, targeting organizations where admins haven’t disabled the External Access setting.

Similar campaigns were observed last year that pushed DarkGate malware through compromised external Office 365 and Skype accounts.

APT29, a hacking division of Russia’s Foreign Intelligence Service, exploited a security issue in Microsoft Teams to target organizations worldwide, including government agencies.

​Surge of DarkGate malware attacks

Following the disruption of the Qakbot botnet in August, cybercriminals have increasingly turned to the DarkGate malware loader as their preferred means of initial access to corporate networks.

Before the Qakbot botnet was taken down, the developer of DarkGate attempted to sell $100,000 annual subscriptions on a hacking forum, claiming that the malware includes various capabilities such as a concealed VNC, tools to bypass Windows Defender, a browser history theft tool, and more.

After the developer’s announcement, there has been a surge in reported DarkGate infections, with cybercriminals using various delivery methods, including phishing and malvertising.


Full Stack Developer

About the Author

I’m passionate about web development and design in all its forms, helping small businesses build and improve their online presence. I spend a lot of time learning new techniques and actively helping other people learn web development through a variety of help groups and writing tutorials for my blog about advancements in web design and development.

View Articles