Microsoft Warns: Hackers Exploit Teams Features Across Attack Chain for Malware and Ransomware Delivery

Microsoft warns that cybercriminals and state-sponsored hackers are increasingly exploiting Microsoft Teams' core features—messaging, calls, meetings, and screen-sharing—throughout the attack lifecycle, making the popular collaboration platform a prime target. With its widespread adoption, Teams enables reconnaissance via tools like TeamsEnum and TeamFiltration to map users, groups, and tenants, identifying weak external communication settings. Attackers then develop resources by compromising or faking tenants for impersonation, such as Storm-1811 posing as IT support to deploy ransomware or 3AM affiliates using spam emails followed by Teams calls for remote access, often delivering malware like DarkGate through chats.

Once initial access is gained, threats establish persistence with guest accounts, device code phishing for tokens, or MFA bypasses, as seen in Octo Tempest's aggressive social engineering. Escalation involves tools like AzureHound for Entra ID discovery and lateral movement, exemplified by Peach Sandstorm's ZIP malware delivery and Active Directory probing. Admin privileges allow altering trust settings for tenant-hopping, amplifying the breach across organizations.

In the final stages, attackers collect and exfiltrate data using GraphRunner to export Teams, OneDrive, and SharePoint files, while malware like cracked Brute Ratel uses Teams protocols for command-and-control. Impacts include ransomware and extortion, such as Octo Tempest's threatening messages demanding payments. Microsoft's Secure Future Initiative enhances defaults, but experts stress hardening identities, monitoring anomalies, enforcing access controls, and user training to defend against these evolving threats.
 
 
NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security