This malicious Microsoft Teams phishing scam pretends to be harmless vacation changes

Kevin Okemwa

September 11, 2023 at 8:55 AM·3 min read

AI-generated review summaries in the Microsoft Store

What you need to know

Hackers are leveraging a new phishing campaign dubbed 'DarkGate Loader' to compromise Microsoft Teams accounts.
The technique is designed to dupe unsuspecting users into downloading and opening .ZIP files marked 'Changes to the vacation schedule' onto their devices.
The disguised download process uses Windows cURL, and the pre-compiled script makes it harder to spot the malware since the code is hidden.

Hackers are leveraging sophisticated techniques to dupe and lure unsuspecting users into their malicious attacks. Toward the end of August, Truesec's research team started investigating a new process dubbed 'DarkGate Loader.'

This phishing campaign sends seemingly harmless messages to Microsoft Teams users. The hackers used compromised Office 365 accounts to send messages with harmful attachments to unsuspecting users to trick them into downloading and opening ZIP files marked 'Changes to the vacation schedule.'

Be aware that clicking on this ZIP file automatically initiates a download process from a SharePoint URL containing an LNK file disguised as a PDF document (via TechRadar.)

DarkGate Loader malware on Microsoft Teams

Trusec highlighted the hijacked accounts used by the hackers: "Akkaravit Tattamanas" (63090101@my.buu.ac.th) and "ABNER DAVID RIVERA ROJAS" (adriverar@unadvirtual.edu.co), sending malicious VBScript lurking inside the LNK file which in turn deploys the malware known as DarkGate Loader.

The sophisticated campaign leveraged by the hackers makes it extremely difficult for users to detect foul play since the download process of the ZIP files makes use of a SharePoint URL. Moreover, the pre-compiled script makes it harder to detect the malware since the code is hidden in the middle of the file.

According to the research firm, the script can also identify whether the target user has Sophos, a popular antivirus, installed on their endpoinIfhat it's not installed, the additional code is unmasked, and shellcode is launched, which leverages a technique dubbed 'stacked strings' to construct the DarkGate executable and load it in the system memory.

This attack was detected due to the security awareness training of the recipients. Unfortunately, current Microsoft Teams security features such as Safe Attachments or Safe Links was not able to detect or block this attack. Right now, the only way to prevent this attack vector within Microsoft Teams is to only allow Microsoft Teams chat requests from specific external domains, albeit it might have business implications since all trusted external domains need to be whitelisted by an IT administrator.

It's not the only Teams-related scam, as a group of Russian hackers named Midnight Blizzard recently leveraged a new exploit that affected under 40 organizations in August. The hackers used previously compromised Microsoft 365 tenants belonging to small business owners to create new domains that purport to be technical support entities. However, Microsoft has since mitigated the issue and is currently investigating the attack's impact.

For now, you should remain vigilant to unexpected messages and alert your administrator if you identify this infected file.

Yahoo Sports
Dolphins owner Stephen Ross reportedly declined $10 billion for team, stadium and F1 race
The value of the Dolphins and Formula One racing is enormous.
Yahoo Sports
Welcome to the WNBA: Caitlin Clark's regular-season debut is anything but easy
Clark set the Indiana Fever’s franchise record for turnovers (10), shot 5-of-15 from the floor and struggled with the Connecticut Sun’s physical defense.
Yahoo Sports
Caitlin Clark, Fever facing plenty of growing pains early after another blowout loss in home debut
The atmosphere was electric for Clark's home debut and there were brief flashes from the Fever, but it's clear they've got plenty to work on before they can compete with the WNBA's elite teams.
Yahoo Sports
NBA Draft Combine reactions: Edey oh my, Bronny James is ready & whose stock is rising? | On the Clock with Krysten Peek
Yahoo Sports NBA draft expert Krysten Peek is back for another season of On the Clock with Krysten Peek. Krysten just spent the week in Chicago at the NBA Draft Combine and kicks off draft season joined by CBS Sports' Kyle Boone.
Yahoo Sports
World No. 1 Scottie Scheffler tees off at PGA Championship after being arrested, charged with felony for incident outside Valhalla
Scottie Scheffler was arrested by police en route to Valhalla Golf Club during a traffic incident.
Yahoo Sports
2024 NBA Mock Draft 7.0: Who will the Hawks take at No. 1? Our projections for every pick with lottery order now set
With the lottery order set, here's a look at Yahoo Sports' projections for both rounds of the 2024 NBA Draft.
Yahoo Sports
2024 Wide Receiver rankings for fantasy football
The Yahoo Fantasy football analysts reveal their first wide receiver rankings for the 2024 NFL season.
Yahoo Sports
What scouts think of Bronny James' NBA prospects
The biggest question looming over the NBA draft combine this week: How will Bronny James do?
Yahoo Sports
Fox Sports host Doug Gottlieb hired as Green Bay's coach, will reportedly still host radio show
Gottlieb's repeatedly courted controversy in his media role and will reportedly continue to host his nationally syndicated radio show while coaching Green Bay.
Yahoo Sports
Scottie Scheffler releases statement following arrest: 'There was a big misunderstanding of what I thought I was being asked to do'
Scheffler was arrested following an incident with an officer outside the entrance to Valhalla Golf Club.
Yahoo Sports
2024 NFL schedule: Everything you need to know about this season's slate of games
Here's what you need to know about the 2024 NFL schedule after Wednesday night's announcement.
Yahoo Sports
NFL schedule release: The top 10 must watch games of the regular season
What are the most anticipated games for this NFL season?
Yahoo Sports
The Spin: Making a call on 5 slumping fantasy baseball stars
All five of these hitters were drafted highly in fantasy baseball leagues. So far, they have not lived up to their ADPs — and that's an understatement. Scott Pianowski analyzes.
Yahoo Sports
2024 Tight end rankings for fantasy football
The Yahoo Fantasy football analysts reveal their first tight end rankings for the 2024 NFL season.
Yahoo Sports
Attorneys say Scottie Scheffler likely won't face felony conviction: 'Probably about a zero percent chance'
Scottie Scheffler will likely avoid the most serious charges filed against him stemming from Friday morning's altercation with police.
Yahoo Sports
Fantasy Baseball Numbers Do Lie: Luck evening out will change fortunes for these 5 players
Dalton Del Don puts some fraudulent stats under the magnifying glass as we move through Week 7 of the fantasy baseball season.
Yahoo Sports
Rory McIlroy files for divorce from wife Erica after seven years of marriage
On the eve of the PGA Championship, Rory McIlroy has filed for divorce from his wife, Erica.
Yahoo Life Shopping
Memorial Day sales 2024: Everything we know, including early deals you can shop now
Mark your calendar: The holiday weekend runs May 24-27, but you don't have to wait to save.
Yahoo Life Shopping
'No Botox, no peels, no fillers': Salma Hayek's go-to ingredient for ageless skin is in this $10 cream
The bark of the 'Mexican skin tree' is known for its regenerative properties.
Yahoo Sports
Lionel Messi's salary, Inter Miami's payroll are MLS record highs
Even without his Apple deal and his equity in Inter Miami, Lionel Messi is making more money than all but a few MLS teams.

News

Life

Entertainment

Finance

Sports

New on Yahoo

This malicious Microsoft Teams phishing scam pretends to be harmless vacation changes

What you need to know

Recommended Stories

Dolphins owner Stephen Ross reportedly declined $10 billion for team, stadium and F1 race

Welcome to the WNBA: Caitlin Clark's regular-season debut is anything but easy

Caitlin Clark, Fever facing plenty of growing pains early after another blowout loss in home debut

NBA Draft Combine reactions: Edey oh my, Bronny James is ready & whose stock is rising? | On the Clock with Krysten Peek

World No. 1 Scottie Scheffler tees off at PGA Championship after being arrested, charged with felony for incident outside Valhalla

2024 NBA Mock Draft 7.0: Who will the Hawks take at No. 1? Our projections for every pick with lottery order now set

2024 Wide Receiver rankings for fantasy football

What scouts think of Bronny James' NBA prospects

Fox Sports host Doug Gottlieb hired as Green Bay's coach, will reportedly still host radio show

Scottie Scheffler releases statement following arrest: 'There was a big misunderstanding of what I thought I was being asked to do'

2024 NFL schedule: Everything you need to know about this season's slate of games

NFL schedule release: The top 10 must watch games of the regular season

The Spin: Making a call on 5 slumping fantasy baseball stars

2024 Tight end rankings for fantasy football

Attorneys say Scottie Scheffler likely won't face felony conviction: 'Probably about a zero percent chance'

Fantasy Baseball Numbers Do Lie: Luck evening out will change fortunes for these 5 players

Rory McIlroy files for divorce from wife Erica after seven years of marriage

Memorial Day sales 2024: Everything we know, including early deals you can shop now

'No Botox, no peels, no fillers': Salma Hayek's go-to ingredient for ageless skin is in this $10 cream

Lionel Messi's salary, Inter Miami's payroll are MLS record highs