Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Microsoft Teams. Show all posts
phishing
Black Basta Ransomware Custom Malware Email Helpdesk Social Engineering Microsoft Teams phishing

UNC6692 Uses Microsoft Teams Impersonation to Deploy SNOW Malware

 



A newly tracked threat cluster identified as UNC6692 has been observed carrying out targeted intrusions by abusing Microsoft Teams, relying heavily on social engineering to deliver a sophisticated and multi-stage malware framework.

According to findings from Mandiant, the attackers impersonate internal IT help desk personnel and persuade employees to accept chat requests originating from accounts outside their organization. This method allows them to bypass traditional email-based phishing defenses by exploiting trust in workplace collaboration tools.

The attack typically begins with a deliberate email bombing campaign, where the victim’s inbox is flooded with large volumes of spam messages. This is designed to create confusion and urgency. Shortly after, the attacker initiates contact through Microsoft Teams, posing as technical support and offering assistance to resolve the email issue.

This combined tactic of inbox flooding followed by help desk impersonation is not entirely new. It has previously been linked to affiliates of the Black Basta ransomware group. Although that group ceased operations, the continued use of this playbook demonstrates how effective intrusion techniques often persist beyond the lifespan of the original actors.

Separate research published by ReliaQuest shows that these campaigns are increasingly focused on senior personnel. Between March 1 and April 1, 2026, 77% of observed incidents targeted executives and high-level employees, a notable increase from 59% earlier in the year. In some cases, attackers initiated multiple chat attempts within seconds, intensifying pressure on the victim to respond.

In many similar attacks, victims are convinced to install legitimate remote monitoring and management tools such as Quick Assist or Supremo Remote Desktop, which are then misused to gain direct system control. However, UNC6692 introduces a variation in execution.

Instead of deploying remote access software immediately, the attackers send a phishing link through Teams. The message claims that the link will install a patch to fix the email flooding problem. When clicked, the link directs the victim to download an AutoHotkey script hosted on an attacker-controlled Amazon S3 bucket. The phishing interface is presented as a tool named “Mailbox Repair and Sync Utility v2.1.5,” making it appear legitimate.

Once executed, the script performs initial reconnaissance to gather system information. It then installs a malicious browser extension called SNOWBELT on Microsoft Edge. This is achieved by launching the browser in headless mode and using command-line parameters to load the extension without user visibility.

To reduce the risk of detection, the attackers use a filtering mechanism known as a gatekeeper script. This ensures that only intended victims receive the full payload, helping evade automated security analysis environments. The script also verifies whether the victim is using Microsoft Edge. If not, the phishing page displays a persistent warning overlay, guiding the user to switch browsers.

After installation, SNOWBELT enables the download of additional malicious components, including SNOWGLAZE, SNOWBASIN, further AutoHotkey scripts, and a compressed archive containing a portable Python runtime with required libraries.

The phishing page also includes a fake configuration panel with a “Health Check” option. When users interact with it, they are prompted to enter their mailbox credentials under the assumption of authentication. In reality, this information is captured and transmitted to another attacker-controlled S3 storage location.

The SNOW malware framework operates as a coordinated system. SNOWBELT functions as a JavaScript-based backdoor that receives instructions from the attacker and forwards them for execution. SNOWGLAZE acts as a tunneling component written in Python, establishing a secure WebSocket connection between the compromised machine and the attacker’s command-and-control infrastructure. SNOWBASIN provides persistent remote access, allowing command execution through system shells, capturing screenshots, transferring files, and even removing itself when needed. It operates by running a local HTTP server on ports 8000, 8001, or 8002.

Once inside the network, the attackers expand their control through a series of post-exploitation activities. They scan for commonly used network ports such as 135, 445, and 3389 to identify opportunities for lateral movement. Using the SNOWGLAZE tunnel, they establish remote sessions through tools like PsExec and Remote Desktop.

Privilege escalation is achieved by extracting sensitive credential data from the system’s LSASS process, a critical Windows component responsible for storing authentication information. Attackers then use the Pass-the-Hash technique, which allows them to authenticate across systems using stolen password hashes without needing the actual passwords.

To extract valuable data, they deploy tools such as FTK Imager to capture sensitive files, including Active Directory databases. These files are staged locally before being exfiltrated using file transfer utilities like LimeWire.

Mandiant researchers note that this campaign reflects an evolution in attack strategy by combining social engineering, custom malware, and browser-based persistence mechanisms. A key element is the abuse of trusted cloud platforms for hosting malicious payloads and managing command-and-control operations. Because these services are widely used and trusted, malicious traffic can blend in with legitimate activity, making detection more difficult.

A related campaign reported by Cato Networks underlines similar tactics, where attackers use voice-based phishing within Teams to guide victims into executing a PowerShell script that deploys a WebSocket-based backdoor known as PhantomBackdoor.

Security experts emphasize that collaboration platforms must now be treated as primary attack surfaces. Controls such as verifying help desk communications, restricting external access, limiting screen sharing, and securing PowerShell execution are becoming essential defenses.

Microsoft has also warned that attackers are exploiting cross-organization communication within Teams to establish remote access using legitimate support tools. After initial compromise, they conduct reconnaissance, deploy additional payloads, and establish encrypted connections to their infrastructure.

To maintain persistence, attackers may deploy fallback remote management tools such as Level RMM. Data exfiltration is often carried out using synchronization tools like Rclone. They may also use built-in administrative protocols such as Windows Remote Management to move laterally toward high-value systems, including domain controllers.

These intrusion chains rely heavily on legitimate software and standard administrative processes, allowing attackers to remain hidden within normal enterprise activity across multiple stages of the attack lifecycle.

Read more »
Social Engineering
DLL DNS attacks Emails malware Microsoft Teams Social Engineering

Fake IT Support on Microsoft Teams Used to Deliver New A0Backdoor Threat

 


A contemporary cyber campaign has been identified where attackers are using Microsoft Teams to target employees in financial and healthcare organizations, eventually infecting systems with a newly observed malware known as A0Backdoor.

Research from BlueVoyant shows that the attackers rely heavily on social engineering. They begin by overwhelming an employee’s inbox with large volumes of spam emails. Soon after, they contact the same individual on Microsoft Teams, pretending to be part of the company’s IT support team and offering help to resolve the issue. This sequence is designed to build trust and make the request appear routine.

Once the victim is convinced, the attacker asks them to start a remote session using Quick Assist, a built-in Windows feature meant for remote troubleshooting. After access is granted, the attacker delivers a set of malicious tools through MSI installer files. These installers are digitally signed and hosted on a personal Microsoft cloud storage account, which helps them appear legitimate at first glance.

The researchers found that these MSI files are disguised as familiar Microsoft-related components, including Microsoft Teams elements and CrossDeviceService, a real Windows service used by the Phone Link application. This naming strategy helps the files blend in with normal system processes.

To execute the attack, the threat actor uses a technique called DLL sideloading. This involves running trusted Microsoft programs to load a malicious file named hostfxr.dll. Inside this file is data that is either compressed or encrypted. When the file is loaded into memory, it decrypts this data into shellcode and begins execution.

The malware also uses the CreateThread function to generate multiple threads. This behavior is not meant to improve performance but to make analysis harder. According to the researchers, creating too many threads can cause debugging tools to crash, even though it does not noticeably affect normal system activity.

After execution begins, the shellcode checks whether it is running inside a sandbox environment, which is commonly used by security analysts. If no such environment is detected, it proceeds to create a cryptographic key derived from SHA-256. This key is then used to decrypt the A0Backdoor payload, which is protected using AES encryption.

Once decrypted, the malware moves itself to a different region in memory and activates its main functions. It collects system-level information using Windows API calls such as DeviceIoControl, GetUserNameExW, and GetComputerNameW. This allows it to identify and profile the infected machine.

For communication with its operators, the malware avoids traditional methods and instead uses DNS traffic. It sends DNS MX queries that contain encoded data within complex subdomains to public recursive DNS servers. The responses it receives include MX records that carry encoded instructions. The malware extracts the relevant part of the response, decodes it, and then follows the commands.

Researchers explain that using MX records helps the traffic appear normal, making it harder to detect compared to other DNS-based techniques, especially those that rely on TXT records, which are more commonly monitored.

The campaign has already targeted at least two organizations, including a financial institution in Canada and a global healthcare company.

BlueVoyant assesses with moderate to high confidence that this activity builds on methods previously linked to the BlackBasta group. Although that group reportedly shut down after internal chat logs were leaked, parts of its approach appear to be continuing in this operation.

At the same time, the researchers point out that several elements in this campaign are new. These include the use of signed MSI installers, the A0Backdoor malware itself, and the use of DNS MX records for command-and-control communication.

This case reflects how attackers are adapting their methods by combining trusted tools, familiar platforms, and layered techniques to bypass detection.

Read more »
Privacy violation
Employee Security Location data location data breach location tracking Microsoft Microsoft Teams Privacy Privacy violation

Microsoft Teams’ New Location-Based Status Sparks Major Privacy and Legal Concerns

 

Microsoft Teams is preparing to roll out a new feature that could significantly change how employee presence is tracked in the workplace. By the end of the year, the platform will be able to automatically detect when an employee connects to the company’s office Wi-Fi and update their status to show they are working on-site. This information will be visible to both colleagues and supervisors, raising immediate questions about privacy and legality. Although Microsoft states that the feature will be switched off by default, IT administrators can enable it at the organizational level to improve “transparency and collaboration.” 

The idea appears practical on the surface. Remote workers may want to know whether coworkers are physically present at the office to access documents or coordinate tasks that require on-site resources. However, the convenience quickly gives way to concerns about surveillance. Critics warn that this feature could easily be misused to monitor employee attendance or indirectly enforce return-to-office mandates—especially as Microsoft itself is requiring employees living within 50 miles of its offices to spend at least three days a week on-site starting next February. 

To better understand the implications, TECHBOOK consulted Professor Christian Solmecke, a specialist in media and IT law. He argues that the feature rests on uncertain legal footing under European privacy regulations. According to Solmecke, automatically updating an employee’s location constitutes the processing of personal data, which is allowed under the GDPR only when supported by a valid legal basis. In this case, two possibilities exist: explicit employee consent or a legitimate interest on the part of the employer. But as Solmecke explains, an employer’s interest in transparency rarely outweighs an employee’s right to privacy, especially when tracking is not strictly necessary for job performance. 

The expert compares the situation to covert video surveillance, which is only permitted when there is a concrete suspicion of wrongdoing. Location tracking, if used to verify whether workers are actually on-site, falls into a similar category. For routine operations, he stresses, such monitoring would likely be disproportionate. Solmecke adds that neither broad IT policies nor standard employment contracts provide sufficient grounds for processing this type of data. Consent must be truly voluntary, which is difficult to guarantee in an employer-employee relationship where workers may feel pressured to agree. 

He states that if companies wish to enable this automatic location sharing, a dedicated written agreement would be required—one that employees can decline without negative repercussions. Additionally, in workplaces with a works council, co-determination rules apply. Under Germany’s Works Constitution Act, systems capable of monitoring performance or behavior must be approved by the works council before being implemented. Without such approval or a corresponding works agreement, enabling the feature would violate privacy law. 

For employees, the upcoming rollout does not mean their on-site presence will immediately become visible. Microsoft cannot allow employers to activate such a feature without clear employee knowledge or consent. According to Solmecke, any attempt to automatically log and share employee location inside the company would be legally vulnerable and potentially challengeable. Workers retain the right to reject such data collection unless a lawful framework is in place. 

As companies continue navigating hybrid and remote work models, Microsoft’s new location-based status illustrates the growing tension between workplace efficiency and digital privacy. Whether organizations adopt this feature will likely depend on how well they balance those priorities—and whether they can do so within the boundaries of data protection law.
Read more »
remote access
Data Leak Infostealer malware Microsoft Teams remote access

Cybercriminals Abuse Microsoft Teams & Quick Assist for Remote Access

 

Trend Micro security experts discovered a sophisticated cyberattack that included social engineering tactics and commonly employed remote access tools. The attack, which uses stealthy infostealer malware, gives thieves permanent access over vulnerable PCs and allows them to steal sensitive data.

According to Trend Micro Threat Intelligence, the majority of incidents since October 2024 have been concentrated in North America, with 21 breaches reported. The US was the most affected, with 17 cases, followed by Canada and the United Kingdom, each with five. Europe documented a total of 18 incidents. 

Modus operandi 

Threat actors utilise social engineering techniques to acquire initial access by deceiving victims into submitting credentials. Microsoft Teams is used for impersonation, and Quick Assist and other remote access applications allow attackers to escalate privileges. OneDriveStandaloneUpdater.exe, a genuine OneDrive update application, is used to sideload malicious DLLs and grant attackers network access.

Subsequently, the attackers install BackConnect malware, which allows them to keep control of affected systems. Malicious files are hosted and propagated via commercial cloud storage services, leveraging misconfigured or publicly available storage buckets. 

The BackConnect malware has been linked by researchers to QakBot, a loader malware that was the focus of the 2023 takedown effort called "Operation Duckhunt." Access to target computers by Black Basta ransomware attackers was made possible in large part via QakBot. After it was taken down, these threat actors switched to alternative methods to continue operating. 

Black Basta and Cactus ransomware link 

Trend Micro analysts recently investigated cases in which the Black Basta and Cactus ransomware perpetrators used the identical BackConnect malware. This malware allows cybercriminals to execute commands remotely, steal credentials, and steal financial information.

In 2023, Black Basta alone extorted $107 million from victims, with manufacturing the largest hit, followed by financial sectors and real estate. Attackers also utilised WinSCP, an open-source file transfer client, to move data within infected systems. The infected files were first acquired from a cloud storage provider before being repackaged and distributed using system vulnerabilities. 

Further investigation into Black Basta's internal chat breaches indicates that members of the gang are now using Cactus ransomware. Researchers believe that this transition will allow Cactus to remain a major threat by 2025.
Read more »
Microsoft Teams
Black Basta Cyber Attacks Cybersecurity Precautions Hackers MFA Microsoft Microsoft 365 Microsoft Office vulnerability Microsoft Teams

Hackers Exploit Microsoft Teams for Phishing and Malware Attacks

 

Cybercriminals are increasingly targeting Microsoft Teams, utilizing the platform for sophisticated phishing, vishing, and ransomware campaigns. Exploiting Teams' widespread use, attackers employ social engineering tactics to deceive users and extract sensitive data. Methods range from fake job offers to malicious file sharing, aiming to infiltrate accounts and compromise organizational networks.

Bypassing Multifactor Authentication

One notable tactic involves bypassing multifactor authentication (MFA). Threat actors, reportedly linked to the SolarWinds attack, create fraudulent “onmicrosoft.com” subdomains designed to mimic legitimate security entities. They send chat requests via Microsoft Teams, prompting users to enter a code into the Microsoft Authenticator app. This action grants attackers unauthorized access to Microsoft 365 accounts, enabling data theft or the integration of malicious devices into corporate networks.

The Black Basta ransomware group employs a different strategy by overwhelming users with spam emails and impersonating IT support staff on Teams. Claiming to assist with email issues, they persuade victims to install remote desktop tools, providing attackers with direct access to deploy malware. This includes Trojans and ransomware designed to exfiltrate sensitive data and compromise systems.

Another prevalent scheme involves fake job offers. Scammers contact individuals with fabricated employment opportunities, sometimes conducting entire interviews via Microsoft Teams chat. These scams often escalate to requests for personal information, such as Social Security numbers or tax details. In some cases, victims are asked to pay for materials or services, resulting in financial loss and potential identity theft.

Attackers also impersonate HR personnel, sending phishing messages about urgent policy updates. These messages frequently include malicious files disguised as legitimate updates. Once downloaded, malware like DarkGate is installed, granting attackers control over the victim’s system and network.

Additionally, compromised Microsoft 365 accounts are used to distribute malicious files through Teams chats. These files often appear as PDFs with double extensions, deceiving users into downloading executable malware. Once activated, these programs can breach data and facilitate deeper network infiltration.

Mitigation Strategies for Organizations and Users

Vigilance is essential in countering these threats. Users should verify unexpected messages, invitations, or file-sharing requests, especially those containing links or urgent calls to action. Tools that check link safety and domain age can help detect phishing attempts.

Organizations should prioritize employee education on recognizing scams and enforcing robust cybersecurity protocols. By staying informed and cautious, users can mitigate risks and safeguard against cyberattacks targeting Microsoft Teams.

Read more »
Trend Micro
cryptomining Cyber Threats DarkGate malware malware Malware attacks malware-as-a-service (MaaS). Microsoft Teams Phishing Campaigns QakBot Botnet Ransomware Trend Micro

Compromised Skype Accounts Facilitate DarkGate Malware Spread

 

Cyber attackers wielding the DarkGate malware have utilized compromised Skype accounts as a vector to infiltrate targets between July and September. They accomplished this by dispatching messages with VBA loader script attachments. 

Trend Micro's security researchers, who detected these attacks, noted that this script is responsible for fetching a second-stage AutoIT script. This script, in turn, is tailored to deploy the final DarkGate malware payload.

Trend Micro explained that gaining access to the victim's Skype account provided the attacker with the ability to take control of an ongoing messaging thread. This allowed them to manipulate the naming of files to align with the context of the conversation. 

Although the means by which the initial accounts of instant messaging applications were compromised remains unclear, it is theorized to have occurred either through leaked login credentials available on underground forums or as a consequence of a prior breach of the parent organization.

Furthermore, Trend Micro observed instances where DarkGate operators attempted to deliver their malware payload through Microsoft Teams. This occurred in organizations where the service was set up to accept messages from external users. 

Previously, Truesec and MalwareBytes had identified phishing campaigns targeting Microsoft Teams users. These campaigns utilized malicious VBScript to deploy the DarkGate malware. The attackers targeted users via compromised Office 365 accounts outside their respective organizations and leveraged a tool named TeamsPhisher. 

This tool enabled the bypassing of restrictions on incoming files from external sources, enabling the transmission of phishing attachments to Teams users. The ultimate objective remained infiltrating the entire environment. Depending on the specific threat group employing the DarkGate variant, the threats ranged from ransomware to cryptomining.

Trend Micro's telemetry data indicated that DarkGate frequently led to the detection of tools commonly associated with the Black Basta ransomware group.

The proliferation of the DarkGate malware loader for initial access into corporate networks has been on the rise, especially following the dismantling of the Qakbot botnet in August. This was due to international collaborative efforts. 

Prior to the disruption of Qakbot, an individual claiming to be the developer of DarkGate sought to sell subscriptions on a hacking forum, pricing them at up to $100,000 annually. The malware was marketed with an array of features, including a concealed VNC, capabilities to evade Windows Defender, a tool for pilfering browser history, an integrated reverse proxy, a file manager, and a Discord token snatcher.

Subsequent to this announcement, there has been a noticeable surge in reported DarkGate infections via various delivery methods like phishing and malvertising.

This recent upswing in DarkGate activity highlights the escalating influence of this malware-as-a-service (MaaS) operation within the realm of cybercrime. It underscores the unwavering determination of threat actors to persist in their attacks, demonstrating adaptability in tactics and methods despite disruptions and obstacles.
Read more »
Microsoft Teams
Account Theft Clop Ransomware Cyberattacks CyberCrime Cybersecurity malware Microsoft Microsoft Teams

Ransomware Access Broker Leverages Microsoft Teams Titles for Account Theft

 


A Microsoft warning has been issued about a new phishing campaign which is being undertaken by one of its first-level access brokers. This campaign uses Teams messages as lures to sneak into corporate networks to collect sensitive data. 

Under the control of Google's Threat Intelligence team, the cluster has been named Storm-0324, and it is closely monitored either under the name TA543 or Sigrid, as well as under the alias Storm-0324. Security researchers at Microsoft have noticed that the financially motivated group Storm-0324 has started using Teams to target potential victims, which they believe is a means of gaining easy access to their computer systems. 

As a payload distributor within the cybercriminal economy, Storm-0324 offers a service that is aimed at providing evasive infection chains as a means of propagating various payloads that are used in the manifestation of systems. There are a variety of types of malware that have been identified in this study, including downloaders, banking trojans, ransomware, as well as modular toolkits such as Nymaim, Gozi, TrickBot, IcedID, Gootkit, Dridex, Sage, GandCrab, and JSSLoader. 

This actor has used decoy emails referencing invoices and payments in the past to trick users into downloading SharePoint-hosted ZIP archive files with JSSLoader, a malware loader able to profile and load additional payloads on infected machines.

In the past, he has used similar decoy email messages to trick users into downloading these files. It seems that Microsoft has assigned a temporary name, Storm-0324, to this particular threat actor before gaining clarity about the origin or identity of the individual behind the operation, and this suggests that Microsoft is not fully confident about the origin or identity of this particular threat actor. 

After Storm-0324 successfully compromised corporate networks with the use of JSSLoader, Gozi and Nymaim, the notorious cybercrime gang FIN7 was able to gain access to their systems. FIN7 has been observed deploying the Clop ransomware on the networks of its victims. 

It is also known as Sangria Tempest and ELBRUS. Before the now-defunct BlackMatter and DarkSide ransomware-as-a-service (Raas) operations took place, the ransomware was also known to be linked to Maze and REvil ransomware. 

Storm-0324 is also a malware distributor that distributes payloads for other malware authors, according to Microsoft. This group employs evasive tactics and uses payment and invoice lures to lure victims into their traps. It has been proven that the gang has distributed malware for FIN7 and Cl0p, both well-known Russian cybercrime gangs. 

It has been discovered that Storm-0324 is responsible for spreading phishing scams over Teams. Cybercriminals employ TeamsPhisher to scale up the mission of phishing, which allows tenants of Teams to attach files to messages that are sent to external tenants. 

Attackers send victims links that lead them to malicious SharePoint-hosted files. The Microsoft Teams vulnerability causing these attacks was previously said by Microsoft to have not met the requirements for immediate remediation. 

Enterprise administrators can minimize this risk by modifying security settings so that only certain domains are allowed to communicate with their employees, or by making it impossible for tenants to contact their employees outside their premises.

Furthermore, Microsoft explains that it has made several improvements to protect itself from such threats and to improve its defences against them. They have also enhanced the Accept/Block experience within Teams' one-to-one chats, in addition to suspending accounts and tenants whose behaviour is deemed inauthentic or fraudulent. 

In this manner, Teams users are reminded that the externality of a user and their email address is important so that they are more careful in interacting with unknown or malicious senders and do not interact with those users. In addition, there has been an enhancement to the notification feature for tenant admins when new domains are created in their tenants, which allows them to monitor if any new domains are created on their tenant's premises. 

It is believed that the group is leveraging previously compromised Microsoft 365 instances, most of which belong to small businesses, in their phishing attacks to create new domains that look as if they are technical support accounts for small businesses. 

These individuals are then persuaded by the group to approve the multi-factor authentication prompts initiated by the attacker through Teams messages. A new onmicrosoft.com subdomain is established using compromised instances that have been renamed and used to set up the new instance. 

Microsoft 365 uses the onmicrosoft.com domain name as a fallback if there is no custom domain created by the user. To provide credibility to the technical support-themed messages that are sent out as a lure by attackers, they often use security terms or product-specific names in these subdomain names. 

Specifically, the goal is to target users who have been set up to utilize passwordless authentication on their accounts or have obtained credentials for accounts that they have previously acquired credentials for. During the authentication process, the user is required to enter a code displayed on the screen of their mobile device into the prompt in Microsoft Authenticator, which is displayed during the authentication process.
Read more »
Subscribe to: Posts (Atom)