The DarkGate Deception: How Microsoft Teams Became a Phishing Playground

DarkGate malware Microsoft Teams
Screenshot from customer of received message | Image: AT&T Cybersecurity

In the ever-evolving landscape of cyber threats, a new and unexpected front has opened up: Microsoft Teams chats. While phishing attacks via email are well-known, many users remain unaware of the dangers lurking within Teams chats. Microsoft’s default setting of enabling External Access in Teams has inadvertently opened a door for cybercriminals to exploit.

A recent incident, brought to the attention of AT&T Cybersecurity’s Managed Detection and Response (MDR) team, highlights this growing concern. An unsuspecting user received an unsolicited Teams chat from an external domain, sparking suspicions of a phishing attempt. This initial alert led to a broader investigation, revealing the sophisticated mechanisms of the DarkGate malware.

Screenshot from customer of received message | Image: AT&T Cybersecurity

The initial clue was a message from an external user, seemingly legitimate with a “.onmicrosoft.com” domain. Despite appearing authentic and lacking suspicious activity reports, this domain was likely compromised by attackers. The MDR team’s subsequent investigation uncovered over 1,000 “MessageSent” Teams events linked to the external user, hinting at the widespread nature of this phishing campaign.

The investigation delved deeper, uncovering “MemberAdded” events in the chat logs, which were traced back to the attacker. These findings painted a clear picture of how attackers were infiltrating internal communications channels. The real breakthrough came when the MDR team identified three users who had downloaded a file named “Navigating Future Changes October 2023.pdf.msi”, a classic double-extension trick often used by cybercriminals.

The suspicious file, upon analysis, revealed its true nature. It attempted to connect to a known DarkGate command-and-control domain, hgfdytrywq[.]com, as identified by Palo Alto Networks. This domain, along with the double-extension file format, confirmed the involvement of DarkGate malware in this phishing campaign.

This incident underscores a critical vulnerability in Microsoft Teams, a platform traditionally considered secure and primarily used for internal organizational communication. The ease with which attackers can exploit the External Access feature poses a significant threat to businesses and individuals alike.

This case serves as a stark reminder of the need for constant vigilance and updated security protocols, especially in widely used communication platforms like Microsoft Teams. As cybercriminals continue to innovate, the onus is on organizations and individuals to stay one step ahead, ensuring the safety and integrity of their digital communications.