Microsoft Teams is at the center of a new DarkGate attack method. Malicious files are distributed via an access request to a Teams chat conversation.

AT&T cybersecurity research warns of a phishing attack via Microsoft Teams. DarkGate operators break into Microsoft Teams via a request to access a chat conversation. Once approved, they trick participants into downloading a file that installs DarkGate malware on users. Microsoft Teams is known for its remote access to other tenants, making it an easy target for phishing.

DarkGate attack

DarkGate uses a new attack method in which they attempt to gain access to a Microsoft Teams group conversation via an access request. If users accept this request, the threat actors trick them into clicking on a file using a duplicate extension called “Navigating Future Changes October 2023.pdf.msi,” which is a common tactic at DarkGate.

Simple goal

Microsoft Teams is known for allowing external Teams users to typically give presentations to people outside the organization. This also allows users of another tenant to message each other. This makes Microsoft Teams an easy target, especially if companies don’t disable their “Remote Access” setting. This is an interesting target for DarkGate operators, especially considering that Microsoft Teams has 280 million monthly users. Teams users should also be particularly careful with messages from which they do not know the sender.