Microsoft Teams ransomware threats are on the rise, as the platform (built for collaboration and productivity) has quickly evolved into a new attack vector for both social engineering and malware delivery.
Attackers are using Teams for command-and-control execution.
From ransomware like Matanbuchus to custom red-teaming tools like ConvoC2, Teams are becoming a trusted attack surface and to be honest most organizations aren’t watching it like they do other attack surfaces. This recent campaign is a perfect example of how Microsoft Teams ransomware can be delivered through simple, unsophisticated social engineering techniques.
Attackers Aren’t Breaking In They’re Being Let In
A recent campaign showed how easy it was for attackers to weaponize Microsoft Teams.
The attack was not sophisticated and used basic techniques. Let’s look at how the attack unfolded.
- The attacker initiates a Teams call pretending to be from the internal IT helpdesk
- It’s a Teams call, so the victim accepts the call and trusts the caller
- The Attacker tells the victim that they need to fix an issue and tricks them into running powershell locally on their machine
- The powershell silently downloads and installs Matanbuchus 3.0 a Malware-as-a-Service (MaaS) loader.
- Now that the attacker has full control, they can compromise AD and deploy Ransomware in your environment.
If we look at this attack it is not sophisticated, it did not require a zero-day or even a phishing email, the only thing it required was a conversation between two individuals that took place on a well-trusted platform.
This technique is now dubbed as Conversational C2 where attackers use live interactions to drive malware execution in real time. And it works because Teams is trusted by both users and security tools, making it an ideal channel for Microsoft Teams ransomware deployment.
As I mentioned earlier this is not the only method that is being used in Microsoft Teams, earlier this year a new red-teaming tool “convoC2” developed for Red Teaming Microsoft Teams will allow execution of system commands on compromised hosts. It then infiltrates data into hidden span tags in Microsoft Teams messages and exfiltrates command outputs in Adaptive Cards image URLS, triggering out-of-bound request to c2 Server (“GitHub – cxnturi0n/convoC2: C2 infrastructure over Microsoft Teams.”)
According to GitHub Source
This allows the attacker persistent backdoor access over Teams without traditional C2 beaconing signals that would often be detected by your security tools. In addition, this technique will bypass most SIEM rules as it looks like normal collaboration traffic while giving the attacker real-time access to the victim’s environment.
Teams: Another Pivot Point for Hybrid AD Attacks
I want to be clear this isn’t about Teams once an attacker is in, they move laterally and target Active Directory and Entra ID for privilege escalation. Remember attackers need elevated privileges to deploy Ransomware and conduct cyberextortion and Identity Platforms like AD and Entra ID are goldmine for these privileges.
Let’s take a closer look at some of the avenues that could be exploited during such an attack.
- Elevation of privileges by adding accounts to sensitive groups or roles
- Modification of Conditional Access Policies to weaken MFA or legacy authentications
- Disabling Microsoft Defender via Microsoft Intune
- Planting backdoors in service account or Entra app registrations
- Changing Group Policies that impact user and device security
All from a foothold created via chat or call, exactly how Microsoft Teams ransomware gains its initial access. And without the ability to detect and recover these changes your organization is exposed.
Here is How Cayosoft Guardian Reduces Your Exposure To These Attacks
Cayosoft Guardian provides real-time visibility and recovery across Active Directory, Entra ID, M365 and Microsoft Intune. It allows organizations to quickly see what has changed and instantly roll back unwanted changes. And here is the biggest advantage Cayosoft Guardian does this by using observational change data without the reliance of event logs. Cayosoft Guardian sees what traditional SIEMS don’t detect without the reliance of Windows Events eliminating blind spots from cleared event logs or change audit policy settings.
Key Features of Cayosoft Guardian
- Enterprise Visibility across your Microsoft Hybrid Identity stack, M365 and Intune
- Threat Detection
- The ability to roll back and restore with surgical precision undo exactly what changed without breaking the rest.
- Immutable snapshots of critical configuration states
- Alerting and Auditing for role changes, object deletions, GPO modifications, policy updates and more
- Protection against cascading changes even when the attacker moves quickly and hits multiple platforms at once
Whether the attacker chooses Teams, Powershell, Intune, or a compromised admin, Cayosoft Guardian gives you the timeline, the visibility, and most importantly the ability to recover quickly. As Microsoft Teams ransomware campaigns grow more frequent and evasive, having continuous visibility and fast rollback capabilities is critical to minimizing damage. All without waiting on traditional backups, manual scripts, or fragmented toolsets.
Want to See Cayosoft in Action?
Cayosoft is recognized by Gartner as an ITDR solution provider and provides solutions that make identities more resilient to attacks and guarantee a fast forest recovery, if needed. Learn how Cayosoft Guardian facilitates granular change tracking, post-breach analysis, and long-term AD security improvements. Schedule a demo to see the capabilities in depth.