Microsoft teams and other Windows tools hijacked to hack corporate networks

Trend Micro says hackers use Microsoft teams to approach their victims
Through social engineering, get accredits to remote desktop solutions
This access is then used to give up advanced backdoors

Hackers use advanced social engineering tactics to try to get .Dll Dll defective on the computers of people who, in turn, allow them to give up backdoor malware.

A new report by Cibersacity Researchers Trend Micro claims the new attack begins Microsoft teamsIf the scams use impersonation to approach the victims and deceive to provide a certain set of accreditations. By quick or similar assistance Desktop from a distance Tools, obtain access to devices, where they have failed .DLD files using OneDrivestandaloneupdater.exe, a legitimate OneDrive update tool.

These .dll files then allow them to give up backconnect, a type of remote access tool (RAT) that sets a reverse connection from an infected device to the server of an attacker, bypassing the Firewall restrictions. This allows attackers to maintain persistent access, execute orders and exfiltrate data while evading traditional security measures.

Commercial cloud solutions

Backconnect is apparently hosted and distributed, using cloud storage tools.

Trend Micro says that the attacks started in October 2024 and focused especially on North America, where he noticed 21 violations – 17 in the US, five in Canada and the United Kingdom and 18 in Europe. The researchers did not say whether the attacks were successful or what the industries aimed at the most.

As most of the tools used in this campaign are legitimate (teams, oneDrivestandaloneupdater, fast assistance), traditional VIRUS or malware protection services will not be sufficient. Instead, businesses must educate their employees to observe social engineering attacks and report them in a timely manner. Enterprises could also apply the use of multi-factors (MFA) and limit access to distance desktop tools.

Finally, they should audition storage in the cloud Configurations to prevent unauthorized access and network traffic monitoring for suspicious connections, especially those that are addressed to known C2 servers.

By Infosecurity magazine