It’s true — Microsoft Teams group chat requests can be bad for you, as hackers hijack them to spread malware

Default Microsoft Teams feature could put organizations at risk

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers are abusing a group chat feature inMicrosoftTeamsvideo conferencingsoftware to deploymalwareon people’s computers, researchers have warned.

Cybersecurity experts from AT&T Cybersecurity said that a threat actor was observed using either a compromised Teams user, or domain, to send more than 1,000 Teams group chat invites.

Anyone who accepts the invitation is served a file titled “Navigating Future Changes October 2023.pdf.msi” - and those with a sharp eye will notice that the file pretends to be a PDF, but is actually an MSI file - a Windows Installer package that delivers the DarkGate malware.

Human error

According to researchers from Trellix, DarkGate is a Remote Access Trojan (RAT) that was first discovered back in 2018. It enables attackers to fully compromise victim systems, and is sold as malware-as-a-service (MaaS), by a threat actor under the alias RastaFarEye.

The hackers were able to send so many invitations thanks to a feature that allows external Microsoft Teams users to message other tenants’ users by default.

“Unless absolutely necessary for daily business use, disabling External Access in Microsoft Teams is advisable for most companies, as email is generally a more secure and more closely monitored communication channel,” AT&T Cybersecurity’s researcher Peter Boyle said in the announcement.

“As always, end users should be trained to pay attention to where unsolicited messages are coming from and should be reminded that phishing can take many forms beyond the typical email.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

BleepingComputerclaims that there had been similar DarkGate campaigns last year, when hackers abused compromised external Office 365 accounts and Skype accounts to send messages with a VBA loader script attached. The publication also claims that many threat actors turned to DarkGate after Quakbot’s demise.  Microsoft Teams is currently one of the most popular communications and collaboration platforms in the world, with roughly 280 million active monthly users.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Google TV will require more RAM for future upgrades – which might leave older TVs and streaming boxes behind