Security News > 2020 > November > Fake Microsoft Teams updates lead to Cobalt Strike deployment
Ransomware operators are using malicious fake ads for Microsoft Teams updates to infect systems with backdoors that deployed Cobalt Strike to compromise the rest of the network.
In a non-public security advisory seen by BleepingComputer, Microsoft is warning its customers about these FakeUpdates campaigns, offering recommendations that would lower the impact of the attack via its Defender ATP service.
In at least one attack Microsoft detected, the crooks purchased a search engine ad that caused top results for Teams software to point to a domain under their control.
The malware also downloaded other payloads, with Cobalt Strike beacons being among them, thus allowing the attacker to discover how they could move laterally across the network.
Microsoft is warning that the same patterns seen in the FakeUpdates campaigns using Teams updates as lure were observed in at least six others, suggesting the same actor behind them.
News URL
Related news
- Week in review: Microsoft fixes two exploited zero-days, SOC teams are losing trust in security tools (source)
- Black Basta poses as IT support on Microsoft Teams to breach networks (source)
- Black Basta ransomware poses as IT support on Microsoft Teams to breach networks (source)
- Black Basta operators phish employees via Microsoft Teams (source)
- Week in review: Windows Themes spoofing bug “returns”, employees phished via Microsoft Teams (source)