Self Assessment

Hackers Abuse Microsoft Teams’ Vulnerabilities

Published On : 2020-12-24
Share :
Hackers Abuse Microsoft Teams’ Vulnerabilities

Microsoft Teams could be targeted by suspected threat actors as they have been observed manipulating and leveraging Microsoft services to gain access to organizations’ networks and to exfiltrate sensitive information stored in it.

In the past, Microsoft Teams has been targeted by ransomware operators as it is considered one of the treasure troves of data for organizations that rely on Microsoft services.

The campaign is potentially targeting various organizations that are similar to yours, where organizations are currently dependent on using apps like Microsoft Teams for video conferencing due to COVID-19 restrictions. Attackers are looking for new and sophisticated techniques each time to target organizations and achieve their malicious objectives.

Method Used by Attackers:

  1. Ransomware Attacks
  2. Abusing Legitimate Services
  3. Vulnerabilities and Exploits
  4. Malware Implants


The primary motive of the attackers appears to be:

  1. Exfiltrating Sensitive Information
  2. Financial Gains
  3. Corporate Espionage


  1. Attackers could access private chats, files & folders, internal networks, and confidential information.
  2. The XSS flaw further helps to steal SSO authorization tokens for Microsoft Teams or its other services such as Skype, Outlook, and O365.
  3. This issue is ‘wormable’ as the researchers mentioned. It is possible to repost the exploit payload to any other organizations, channels, or users without any interaction.
  4. Possible phishing attacks by redirecting to the attacker’s site.


Analysis of captured hackers’ footprints and correlation with external threat vectors indicate that this is a potential threat, and your organization is advised to take precautionary measures as highlighted in this report.


Microsoft Teams have been abused by attackers for some time. CYFIRMA researchers observed ransomware operators such as DoppelPaymer, and Wasted Locker, targeting Microsoft Teams to exfiltrate sensitive information in the past.

CYFIRMA also suspects Chinese State-sponsored Threat Actor – MISSION2025 potentially leveraging its toolsets such as Cobalt Strike, and njRAT to target Microsoft with the intent to exfiltrate sensitive information. The threat actor has been observed leveraging legitimate services such as Microsoft O365 to target organizations and download its payload.

Chinese Threat Actor – MISSION2025 could potentially be carrying out such attacks against organizations as part of the Chinese government’s VISION2025/Made in China 2025 Campaign.

VISION2025/Made in China 2025 Campaign is intended to establish China as a leader of innovation and manufacturing. The campaign has been active for the past 2 years in carrying out corporate espionage such as stealing IP, Copyright, and Trade Secrets for local Chinese companies. Over the last 9 months, the campaign has been very active against multiple industries and organizations. In fact, 13 distinct sub-campaigns were observed against various industries.

CYFIRMA suspects that there could be a potential collaboration between Chinese Threat Actor – MISSION2025 and Ransomware Operators under the new Ransomware-as-a-Service (RaaS) business model which could be beneficial for both parties.


Threat actors are looking for various sophisticated ways to steal information from their targets. The successful exploitation of the flaws in Microsoft Teams could potentially give access to private keys and personal data outside Microsoft Teams. This can possibly leak internal network information and allowing adversaries to set it up for potential phishing attacks and delivering payloads for possible backdoor entry or additional payloads which include ransomware.

Ransomware operators have been improving their techniques with an intent to intimidate and force victims to pay the ransom. While at the onset, ransomware was primarily developed to encrypt data, later it was later enhanced to a three-way approachInfiltrate into the network, Exfiltrate and Encrypt Data, Demand Ransom and Name & Shame.

For details on technical analysis, YARA rules and more, write to [email protected]


This site is registered on as a development site. Switch to a production site key to remove this banner.