Security Never Goes on Vacation: Microsoft Teams Used to Deliver DarkGate Loader Malware

Microsoft has detailed a new phishing campaign using Microsoft Teams to disseminate DarkGate Loader, a malware typically distributed via phishing emails… until now, at least.

On August 29, Microsoft Teams chat messages were sent from compromised Office 365 accounts, urging recipients to download a malicious file. In the attacks, download links were observed on sharepoint.com URLs with seemingly innocent names like “Changes to the vacation schedule.zip.”

Inside the ZIP file, a malicious LNK file posing as a PDF document initiates the download and execution of Autoit3.exe and a bundled script when clicked. The script conceals code in the middle of the file, ultimately creating a new Windows executable identified as DarkGate Loader.

Microsoft Teams’ security features like Safe Attachments and Safe Links failed to detect or block this attack, as researchers found a way to circumvent the application’s file restrictions from external sources.