Check Point Email Security | Blog

Another Teams Attack Highlights Importance of Full-Suite Security

Written by Jeremy Fuchs | September 12, 2023

A new phishing campaign is taking off in MIcrosoft Teams.

According to Bleeping Computer, researchers have found a campaign that sends out DarkGate malware via Teams. 

Two compromised external users were sending out messages, like this one:

Clicking on the file leads to a download of a zip file from a SharePoint URL. It's a LNK file that's hiding as a PDF file. As a reminder, Check Point Research found that LNK files are up 44% YoY as a delivery mechanism for malicious files. 

This document contains a VBscript that leads to a DarkGate Loader.

The DarkGate loader has a number of evasion tools built-in.  A great breakdown of DarkGate Loader can be found here

We've seen a jump in Teams attacks making the news in recent months. We've written about a number of them, here and here. We also did a video breakdown:

 

As we see Teams attacks surging, it's time to think about how to implement true Teams security in your organization. 

There's a few types of protection out there--there's the visibility kind, which monitors anomalous logins and any unusual behavior. All very valuable. But as Forrester notes, "protections developed for the email inbox must extend to these environments."

We're one of the only vendors to provide, again as Forrester notes, "full protection for communication and collaboration applications like Teams, SharePoint, Slack and Dropbox."

How do we do it?  We bring the same email protection to these channels. Every file is scanned in a sandbox for malicious content, as are links within files and messages. When we detect sensitive information, such as social security numbers, it's blocked and the sender is notified. 

Additionally, we have a user behavior anomaly engine that identifies suspicious logins and compromised accounts, and then cross-correlates that with other protected SaaS apps to detect compromised accounts, insider threats and insecure configurations.

Beyond that, we have a compliance bot for education, which helps reduce the amount of freely shared sensitive data.

We predict that Teams attacks are going to continue to increase in the next six months, particularly leveraging sophisticated malware like the example above.

Ensuring full protection is no longer optional--it's essential.