What are Threats to Microsoft Word and Microsoft Teams?
Recently, cyberattackers have infiltrated two different Microsoft products- Microsoft Word and Microsoft Teams.
Malware-Infested Word Documents
A novel strain of malware which goes by the name of SVCReady has been spread through phishing attacks, with most infections occurring among computers that lack antivirus software. The infection begins with a phishing email that carries a malicious .doc file attachment. The malware was first discovered by HP researchers and is delivered by way of a shellcode (a small piece of code used as the payload in the exploitation of a software vulnerability). This method of hiding malware is difficult for security software to detect, as it is generally not equipped to detect these types of infections.1 SVCReady can exfiltrate information about a system’s endpoint software and device firmware. Functions supported by SVCReady2:
- Download a file to the infected client
- Take a screenshot
- Run a shell command
- Check if it is running in a virtual machine
- Collect system information (a short and a “normal” version)
- Check the USB status, i.e., the number of devices plugged-in
- Establish persistence through a scheduled task
- Run a file
- Run a file using RunPeNative in memory
- Fetch additional payloads
Microsoft Teams Trojans
Cyberattackers have targeted Microsoft Teams users by planting malicious documents in chat threads that execute Trojans that ultimately can take over end-user machines.3 The recent Microsoft Teams attacks began with the cyberattacker acquiring employee email login credentials, possibly through phishing campaigns, access brokers, or social engineering techniques. Once the cyberattacker has obtained the valid credentials, they log into the Teams platform of the company and then they drop executable (.exe) files named “UserCentric.exe” into Teams conversations. Once clicked, the malicious file, generally a trojan, writes data to the Windows registry, installs DLL files, and then creates shortcut links allowing the program to self-administer and take control of the computers.
To protect yourself from Microsoft Word and Microsoft Teams attacks:
- Train staff members on cybersecurity threats and cyber hygiene, including risks on communication and sharing platforms
- Enable two-factor authentication
- Implement addition security for files dropped into SharePoint folders related to Teams
- Apply additional security for links copied on Teams
- Never open attachments from unrecognized email addresses
- Install antivirus software that has the capacity to scan emails and pre-empt files before they are downloaded
1 Drapkin, 2022, “Malware-Infested Word Documents Are Arriving in Email Inboxes”
2 Toulas, 2022, “New SVCReady malware loads from Word doc properties”
3 Montalbano, 2022, “Microsoft Teams Targeted with Takeover Trojans”