Microsoft warns of new malware threat spread through Teams

The threat actor is currently tracked with the identifier Storm-0324, and Microsoft says this hacker group has been active since 2016.

In a blog post, Microsoft's internal security research team revealed that this past July, 'Storm-0324 was observed delivering malicious payloads using an open source tool. to send phishing bait through Microsoft Teams chats." Further investigation, Microsoft found that the group had primarily distributed JSSLoader malware since 2019. This malware could then be used by another threat actor group called Sangria Tempest to infect target PCs with ransomware files:

Storm-0324's delivery chain begins with phishing emails that reference invoices or payments, and contain links to SharePoint sites that store ZIP archives. Microsoft is currently focused on identifying abuse, removing malicious activity, and implementing new proactive protections to prevent malicious actors from using services on the company's platforms.

Microsoft adds that these malicious emails can look like real, popular documents such as DocuSign, Quickbooks. In some cases, they also ask victims to enter security codes or passwords just like the real thing. to, make the victim lose his guard. The company said it has taken several measures to prevent these types of malware from being spread in Teams chats. For example, suspending accounts that have been confirmed to be involved in fraudulent activity.

Microsoft also listed a number of methods that companies currently using Teams can deploy to prevent and limit the risk of this new phishing attack. This includes allowing only known devices to connect to Teams, educating employees on phishing and malware attacks, and reviewing suspicious logins.