Attackers Exploit Microsoft Teams and AnyDesk to Deploy Malware

12 hours ago
sorb
2 minutes

In a recent social engineering attack, cyber criminals exploited Microsoft Teams to deploy the malware. According to the researchers, the attackers impersonated a client’s representative during a Microsoft Teams call to gain the victim’s trust. They initially attempted to install a Microsoft Remote Support application but, upon failing, persuaded the victim to download AnyDesk, a legitimate remote access tool. Once installed, AnyDesk was misused to deliver multiple malicious payloads, including a credential stealer and other malware.

Although the attack was intercepted before any data exfiltration occurred, it underscores the increasing sophistication of threat actors in utilizing diverse initial access methods for malware distribution. To mitigate such risks, organizations are advised to implement multi-factor authentication (MFA), maintain an allowlist of approved remote access tools, block unverified applications, and rigorously assess third-party technical support providers to reduce the threat of voice phishing (vishing).

This incident is part of a broader trend of phishing campaigns employing various tactics to deceive victims into divulging sensitive information. Notable examples include:

  • YouTube-Oriented Campaigns: Attackers impersonate popular brands, contacting content creators with fake promotion or partnership proposals. These emails contain links leading to malware like Lumma Stealer.
  • Quishing Campaigns: Phishing emails with PDF attachments containing QR codes direct users to counterfeit Microsoft 365 login pages to harvest credentials.
  • Exploiting Trusted Platforms: Phishing attacks leverage platforms like Cloudflare Pages and Workers to create fake sites mimicking Microsoft 365 login pages, often incorporating bogus CAPTCHA verifications to appear legitimate.
  • HTML Attachment Phishing: Emails with HTML attachments disguised as legitimate documents (e.g., invoices, HR policies) contain embedded JavaScript that redirects users to phishing sites or executes malicious commands under the guise of error fixes.

To defend against these evolving threats, it is crucial for individuals and organizations to remain vigilant, verify the authenticity of unsolicited communications, and adhere to cybersecurity best practices.

Sorb Security is capable of defending such attack. Please reach out to sales@sorbsecurity.com for a PoV.