If your organisation isn't following a security control framework, this is why I believe they should...
With the cost of data breaches at an all-time high and regulators imposing steeper penalties for compliance failures, organisations that aren't implementing necessary security controls are sitting ducks.
šš²šæš² š¶š š®š» š²š
š®šŗš½š¹š²...
DarkGate is using phishing campaigns that distributes malware through Microsoft Teams messages to there victims. Using compromised external Office 365 accounts, phishing messages are sent through Microsoft Teams to various organisations.
Note: As of December 2021, the default for Teams external communication is set to 'People in my organization can communicate with Teams users whose accounts aren't managed by an organization.'
Deceiving Microsoft Teams users into downloading .ZIP files, Clicking on this attachment would initiate the download of the .ZIP file from a SharePoint URL, which contains an .LNK file pretending to be a .PDF document. Including a malicious VBScript that triggers a series of actions leading to the installation of the DarkGate Loader.
To avoid detection, the download process employs Windows curl commands to retrieve the malware's executables and script files. The existing security measures in Microsoft Teams, such as Safe Attachments and Safe Links lack identifying or preventing these attacks.
If organisations were to align with the CIS Microsoft 365 Foundations Benchmark v3.0.0 This exact scenario would be greatly mitigated by CIS Control
8.2.1 šš£šØšŖš§š 'ššš©šš§š£šš” šššššØšØ' ššØ š§ššØš©š§ššš©šš šš£ š©šš šššš¢šØ ššš¢šš£ ššš£š©šš§
By only allowing trusted 'external access' from a vetted external domain process. This will only permit chat requests from particular external domains.
I believe the vetting process is worth the extra effort/resources to protect your organisation.
As the saying goes "Convenience is the enemy of security" or something along those lines...