Microsoft has sent out a cybersecurity alert about a threat actor using Microsoft Teams chats to spread malware. The threat actor has been identified as Storm-0324, and Microsoft says this group has been active since 2016.

in a blog post, Microsoft stated that in July 2023, “Storm-0324 was observed distributing payloads using an open source tool to send phishing lures through Microsoft Teams chats.” The blog added that the group has mainly distributed the JSSLoader malware since 2019. This malware can be used by another threat actor group known as Sangria Tempest to place ransomware files on a computer.

Microsoft explained:

The delivery chain of Storm-0324 begins with phishing emails that refer to invoices or payments and contain a link to a SharePoint site hosting a ZIP archive. Microsoft continues to work across all of its platforms to detect abuse, remove malicious activity, and implement new proactive defenses to deter malicious actors from using our services.

Microsoft adds that these emails can look like real documents from companies like DocuSign, Quickbooks and others. In some cases, these files also require a security code or password to be entered by the malware victim. This can make these fake documents look more realistic.

Microsoft says it has taken a number of steps to prevent such malware from spreading in Teams chats. This includes suspending accounts that have been confirmed to have engaged in fraudulent activity.

It also added improvements to the accept/block experience in one-on-one team chats. The company also imposed new restrictions on “in-tenant domain creation and improved notifications to tenant administrators when new domains are created within their tenant.”

Microsoft also lists several ways that companies using team chats can take preventative measures against the impact of this new phishing attack. These include only allowing known devices to connect to Teams, and educating employees about phishing and malware attacks, and checking for suspicious login activity.