top of page

Malware found in Microsoft Teams

Researchers have reported a new phishing campaign targeting Microsoft Teams messages that sends malicious attachments which lead to the DarkGate loader malware being downloaded.

The malware, used since 2017, was identified in August after MS Teams users reported suspicious phishing messages sent by external accounts. The messages were HR-related (pertaining to annual leave changes) and coaxed users to open a ZIP file to check the “changes”.

The ZIP file is hosted on a SharePoint domain and contains an .LNK file masquerading as a PDF document.

After analysis, researchers found that the file contained malicious VBScript which would start the infection chain resulting in the DarkGate malware payload being deployed.

The malware was initially only used by the developer but has recently been seen for rent online. The author has been seen selling access to the malware to a limited ten people, for a price ranging from $1000 for one day, $15,000 for a month, or $100,000 for a year’s subscription.

The malware supports a number of activities including crypto mining, keylogging, information stealing and remote access.

The recent increase in activity related to this malware may be due to the uptake of affiliates buying access to it.

Phishing within Microsoft Teams, however, is not new. Researchers from JumpSec, a cyber security consulting company, reported a bug within Teams which allows malware to bypass security controls.

Phishing remains a primary attack vector for threat actors with over 3 billion malicious emails sent every day.

Combined with this, malware loaders are a becoming increasingly common. Users of Teams should exercise caution to unexpected or unusual messages and pay close attention to the senders and content before interacting with links or attachments.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page