In a troubling development, cyber attackers are exploiting Microsoft Teams by posing as HR representatives. This malware campaign, active since late August 2023, uses compromised accounts to send deceptive messages linking to malicious ZIP (compressed) files. When accessed, these files install the DarkGate Loader malware, a modular tool capable of propagating further malware. The compromised accounts were traced back to users in Thailand and Colombia. Microsoft has now introduced measures to highlight external users and restrict domain creations.
Sample of Teams Message Request (Source: Twitter User @BushidoToken)
Sample of Teams Phishing Attempt (Source: Twitter User @BushidoToken)
A High-Risk Vulnerability for Healthcare
Microsoft Teams is a staple in the healthcare sector, making it a prime target for cybercriminals. It’s critical that healthcare entities remain vigilant against these types of evolving social engineering attacks.
Identified Groups
Our research revealed that groups such as APT29/Midnight Blizzard, DarkGate Loader (linked to BianLian ransomware), and JSSLoader by Storm-0324/TA543 (previously connected to FIN7) have utilized this phishing approach.
Recommendations for IT Healthcare Leaders
To minimize the risk of these attacks, our security team suggests the following precautions:
- Update Regularly: Ensure your operating system, web browser, and email client are always up-to-date.
- Enable MFA: Activate multi-factor authentication (MFA) for all online accounts that support it.
- Stay Wary: Be cautious of unexpected emails or messages, even if they seem to originate from known contacts.
- Limit MS Teams Chat: Only allow Microsoft Teams chat requests from recognized external domains.
- Avoid Suspicious Links & Attachments: Never click on links or open attachments in emails or messages from unfamiliar sources.
At ClearDATA, our managed security teams are rigorously monitoring these threats, collecting all related IOCs, and will keep a close eye on any incidents linked to these attacks.
Stay informed, stay safe, and always prioritize cybersecurity in our ever-evolving digital healthcare landscape.
Have questions about your cloud security? Set up time with us to talk, or explore our Managed Detection & Response services.
