Skip to content

Microsoft Teams exposed a gateway to deliver DarkGate malware

  • by
  • 3 min read

Threat actors are using Microsoft Teams as a phishing attack vector to deliver the DarkGate malware into the systems.

This revelation came after AT&T Cybersecurity’s Managed Detection and Response (MDR) team’s recent interception of a phishing attack exploiting Microsoft Teams, shedding light on a new threat vector that has largely flown under the radar of end users.

While conventional phishing attacks are commonly associated with emails, this new vector underscores the vulnerability of Teams chats to malicious actors. The incident came to light when an AT&T Cybersecurity MDR customer raised concerns about an external user sending unsolicited Teams chats to internal members, suspecting it to be a phishing lure.

The customer provided crucial details, including the external user’s username and the IDs of users who had accepted the message, enabling the MDR SOC team to take action.

External users’s ID. | Source: AT&T

Researchers found a complex web of tactics employed by the attack, with indicators of compromise (IOCs) pointing to DarkGate malware. The attackers had exploited Microsoft Teams’ default External Access settings, allowing members to add users from outside their organisation to their Team chats. This provided an unsuspecting pathway for phishing attempts.

The phishing message appeared legitimate, featuring the seemingly authentic ‘’ domain. However, on further analysis, researchers found that the domain was compromised before being employed in the attack.

The attackers used a clever double extension file, masquerading as a PDF titled ‘Navigating Future Changes October 2023.pdf.msi’. Once a user downloads this file, it attempts to connect with the DarkGate command-and-control domain ‘hgfdytrywq[.]com’, declared a confirmed threat by Palo Alto Networks.

Double extension file download. | Source: AT&T

The researcher provided the customer with a list of affected users and facilitated password resets. The researchers blocklisted the malicious file’s hashes and paths, and the DarkGate C2 domain was blocked.

Additionally, researchers advised customers to disable Teams External Access for a while.

This phenomenon is quite new in the world of cybersecurity. Usually, the traditional phishing tools used by spammers were emails, text messages, social media messages, and calls. However, professional tools like Teams are now vulnerable to such attacks. Researchers cautioned Teams users to monitor the communication and not entertain unsolicited messages.

In the News: NordVPN launches Link Checker to warn people against phishing

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: