Microsoft Teams, the popular collaboration platform, has been targeted by a phishing campaign that leverages a malicious document to deliver the DarkGate malware. The attack was discovered by security researchers from ESET, who analyzed a sample of the document that was sent to a victim’s email address.
The document, which claims to be a “Microsoft Teams update”, contains a malicious macro that downloads and executes the DarkGate malware when opened. The malware then connects to a remote server controlled by the attackers and performs various malicious actions, such as stealing credentials, encrypting files, and downloading additional payloads.
The attack is part of a larger campaign that targets Microsoft users with phishing emails that contain malicious documents or links. The attackers use social engineering techniques to trick users into opening the documents or clicking on the links, which then lead them to fake websites that mimic legitimate Microsoft services.
The phishing campaign uses various domains and email addresses to evade detection and attribution. Some of the domains used in this campaign are:
- teamsupdate.microsoft.com
- teamsupdate.microsoft.com.br
- teamsupdate.microsoft.com.co
- teamsupdate.microsoft.com.mx
- teamsupdate.microsoft.com.pe
The email addresses used in this campaign are:
- support@teamsupdate.microsoft.com
- support@teamsupdate.microsoft.com.br
- support@teamsupdate.microsoft.com.co
- support@teamsupdate.microsoft.com.mx
- support@teamsupdate.microsoft.com.pe
The researchers from ESET have shared their findings with Microsoft and other security vendors, who have issued alerts and recommendations to protect users from this attack. They have also provided some tips on how to spot and avoid phishing emails in general.
Some of the tips are:
- Do not open attachments or click on links from unknown or suspicious senders.
- Verify the sender’s identity and the legitimacy of the message by checking the sender’s email address, domain name, and contact information.
- Look for spelling and grammar errors, unusual formatting, or mismatched domains in the message.
- Use antivirus software and keep it updated with the latest definitions.
- Report any suspicious messages or activities to Microsoft or your IT administrator.
Microsoft has also issued an advisory on how to protect users from phishing attacks using its own services. The advisory provides some steps that users can take to secure their accounts and devices, such as:
- Enable multi-factor authentication (MFA) for their Microsoft accounts.
- Use strong passwords and change them regularly.
- Avoid using public or unsecured Wi-Fi networks.
- Use a VPN when connecting to public Wi-Fi networks.
- Enable security alerts and notifications for their Microsoft accounts.
- Review their account activity and security settings regularly.
Microsoft has also advised users to scan their devices for any malware infections using its own tools or third-party antivirus software. Users who suspect that they have been infected by DarkGate malware should disconnect their devices from any networks and contact Microsoft support for assistance.