Tools from Windows, including Microsoft Teams, used to compromise corporate networks.

Cybersecurity researchers have alerted about a new method used by hackers that utilizes Microsoft Teams as an initial platform to approach their targets. These criminals employ advanced social engineering tactics to obtain credentials that enable them to access remote desktop tools like Quick Assist. With these credentials, they gain access to the victims' devices and later introduce malicious .DLL files via OneDriveStandaloneUpdater.exe, a legitimate OneDrive update tool.

The compromised .DLL files allow them to install BackConnect, a type of remote access tool (RAT) that establishes a reverse connection from the affected device to a server controlled by the attackers, bypassing firewall restrictions. This method provides hackers with continuous access, allows them to execute commands, and exfiltrate data, all while evading traditional security measures.

According to an analysis by a group of specialists, the attacks began in October 2024, predominantly targeting North America, where 21 incidents have been reported: 17 in the United States, five in Canada and the UK, and 18 in Europe. However, it was not specified whether these attacks were effective or which sectors were most affected.

Given that many of the tools used are legitimate, such as Teams and OneDrive, conventional antivirus solutions may not be sufficient to prevent these threats. Nonetheless, it is crucial for companies to educate their employees to identify and report social engineering attacks. Additionally, implementing multi-factor authentication (MFA) and limiting access to remote desktop tools is recommended.

Finally, companies should conduct audits of their cloud storage configurations to prevent unauthorized access and monitor network traffic for suspicious connections, especially those directed to command and control servers known to be malicious.