Microsoft has disabled a significant software tool to prevent malware attacks, while Teams is also being exploited for malware phishing.
The tech giant has disabled the ms-appinstaller protocol handler as the default because it had found evidence that the hackers had been exploiting the software to distribute malware. Microsoft states that these hackers potentially selected the ms-appinstaller protocol handler vector because it could bypass mechanisms built to safeguard users against malware, including Microsoft Defender SmartScreen and native browser warnings for downloads of executable file formats.
In a blog written by Microsoft Threat Intelligence, the company noted:
In addition to ensuring that customers are protected from observed attacker activity, Microsoft investigated the use of App Installer in these attacks. In response to this activity, Microsoft has disabled the ms-appinstaller protocol handler by default. The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution.”
Microsoft also observed hackers selling malware kits on the dark web that utilised the MSIX file format and the ms-appinstaller protocol handler.
Microsoft said that the hackers were designing “malicious” adverts for “legitimate and popular software” to send possible victims towards websites the bad actors control before manipulating them into downloading the malware packages.
Microsoft added that Teams is also being used as another distribution vector for phishing.
Microsoft name-checked four threat actors that have exploited the App Installer program to date — Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674.
Last month, Microsoft observed instances where the latter hacker designed fake landing pages via messages delivered using Teams. The landing pages imitate Microsoft solutions like OneDrive and SharePoint. “Tenants created by the threat actor are leveraged to create meetings and send chat messages to potential victims using the meeting’s chat functionality,” Microsoft explained.
A Challenging Year for Microsoft and Malware
Microsoft experienced several significant cybersecurity attacks last year, including notable assaults on one of its classic communications platforms, Skype.
In October, compromised Skype accounts were reportedly being hacked to spread the DarkGate malware, while Microsoft Teams was also targeted.
As first reported by Trend Micro, multiple Skype business accounts were compromised and then utilised as an environment to distribute a VBA loader script attachment. It was uncertain how the Skype accounts became compromised, but Trend Micro suggested that it was “either through leaked credentials available through underground forums or the previous compromise of the parent organisation”.
Access to the victim’s Skype account meant the hacker could hijack an existing messaging thread and develop the naming convention of the files to relate to the chat history’s context.
The hackers altered the script file’s name so victims would understand it as a PDF rather than a VBS. If a victim were to download and run the script, they would download a second-stage AutoIT payload. This featured the malicious DarkGate malware code.
The bad actors also attempted to compromise the Teams accounts of organisations whose Teams configurations allowed messages to arrive from external users.
Microsoft Leveraging Copilot AI for Security Teams
To tackle the next generation of cyber threats, Microsoft intends to hone the next generation of cybersecurity with help from AI.
One of its most eye-catching solutions in this regard is Microsoft Security Copilot, the tech giant’s AI assistant for security teams, which is now available in early access for qualified customers.
First announced in March 2023 as part of the general reveal of Microsoft’s AI-powered productivity tool, Copilot, Security Copilot is a generative AI security offering empowering businesses’ protection with machine speed and scale.
The Early Access Programme encompasses new capabilities, such as a Security Copilot experience residing within Microsoft’s extended detection and response (XDR) platform, Microsoft 365 Defender. This embedded service informs analysts with actionable insights and recommendations via a unified interface. Microsoft Defender Threat Intelligence is also included with Security Copilot for no added cost.
“Security Copilot is an AI assistant for security teams that builds on the latest in large language models and harnesses Microsoft’s security expertise and global threat intelligence to help security teams outpace their adversaries,” wrote Vasu Jakkal, Corporate Vice President of Security, Compliance, Identity, and Management at Microsoft in an accompanying blog.
Furthermore, organisations collaborating with Managed Security Service Providers (MSSPs) and in the Early Access Programme can extend access to their Security Copilot environment. This enables MSSPs to collaborate with these organisations using Security Copilot.
