Hackers Manipulate Microsoft Teams Chats to Distribute Malware (24th February 2022)

Ref# AL2022_10 | Date: Feb 24th 2022


Researchers have discovered that some attackers are exploiting Microsoft Teams accounts. The aim behind this act is to sneak into chat rooms and transmit harmful executable code to other users.

Microsoft Teams has over 270 million monthly users, many of whom place their trust in the program and do not expect to be targeted by threat actors.


Researchers confirmed that these attacks began in January, whereby the cybercriminal inserts an executable file called “User Centric” into a chat to deceive the user into running it.

Once the malicious file has been executed, it inserts data into the system registry, as well as the direct link library (DLL which is a library that contains code and data that can be used by more than one program at the same time) and maintains connectivity on the windows system.

How it works?

It is unclear on the methodology being used to access Teams accounts; however, it maybe suspected the threat actors are using email phishing to steal Microsoft 365 users” credentials.

Hackers used a malicious trojan document attached to a chat thread in the Microsoft Teams to launch the attack. Where the attacker eventually takes control of the users machine once clicked on.

The malicious file can create connectivity via Windows Registry Run keys or by adding an item to the startup folder, according to an automatic analysis of the malware nature that was done.

It also gathers precise data capture about the type of operating system and hardware it operates on, as well as the machines security state based on the operating system versions and updates that were applied.


To circumvent this type of malware, users are advised to follow the steps below:

  • Implement a security solution that scans all files in a sandbox for harmful materials.
  • Deploy a comprehensive security architecture that protects all lines of the company communication channels, including Microsoft Teams.
  • Microsoft Team users should contact their IT department if they encounter an unexpected file.
  • Unknown files provided over email or Microsoft Teams should not be opened. One of the ways hackers initiate attacks is to create clever files and send them out over email, with the recipient becoming a victim of the threat actor once they accept the file.

The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.

PDF Download: Hackers Manipulate Microsoft Teams Chats.pdf