After employees turned to remote working tools during the COVID-19 pandemic, cybercriminals looked for ways to exploit these apps.

Cybercriminals have targeted users of collaboration software Slack with phishing attacks, and mischief-makers have shown up uninvited to Zoom meetings. Now, attackers are targeting popular collaboration tool Microsoft Teams, according to cybersecurity firm Avanan.

Avanan researchers observed cybercriminals dropping malicious files into Teams conversations beginning in January, with “thousands” of attacks per month, the company said in a blog post.

The attackers hack into Teams by spoofing a user, compromising a partner organization, or gaining access to the targeted company through an email-based attack, Avanan said. The file they share in a Teams chat includes malicious software that can take over a victim’s computer.

“By attaching the file to a Teams attack, hackers have found a new way to easily target millions of users,” Avanan wrote. “Given that hackers are quite adept at compromising Microsoft 365 accounts using traditional email phishing methods, they’ve learned that the same credentials work for Teams.”

The Teams threat is a serious one and an attractive attack vector, given that cybercriminals can gain access to Microsoft credentials in email-based attacks, cybersecurity experts said.

These attacks are a “new spin on old vectors,” said Keatron Evans, a principal security researcher at the Infosec Institute, a cybersecurity training organization. “The problem is that Microsoft Teams and other meeting platforms have become so widely used due to COVID that it’s easier to slip something under the radar via a Teams chat session.”

Teams users should be wary of clicking on links in chats, and organizations should use updated endpoint detection tools, Evans recommended.

“If the victim does not have sufficient endpoint protection, it is a very easy attack to pull off,” he told the Washington Examiner. “Even with decent endpoint protection, most users would provide the needed interaction to cause the malicious file to be allowed to run and infect the machines.”

While many employees are trained to be suspicious of emails and external links, many aren’t as wary of links in collaboration tools like Teams or Slack, added Chuck Everette, director of cybersecurity advocacy at Deep Instinct, a cybersecurity provider.

These tools are “not thought of as an attack surface that most end-users would even think about,” he told the Washington Examiner.

Meanwhile, these attacks are fertile ground for attackers, he added. “It is very simple and easy to impersonate someone else within the company’s organization or externally,” he said. “These types of attacks literally are wide open and have very little in the way of security monitoring or controls in place today.”

On some collaboration tools, certain administrative features can be turned on to bump up security, “but they are clunky and can also be disruptive,” Everette added. “Blocking and preventing only certain file types or access within Teams or Slack is either not available, or disabling it turns off other common functions and features that most companies readily use today.”

Phishing attacks as a way to gain access to user credentials is growing, added Hank Schless, senior manager of security solutions at cloud security vendor Lookout. And the Teams malware appears to give the attacker complete access to the targeted computer.

“This combination could enable an attacker to access any data that the user and device have access to,” he told the Washington Examiner. “Once they’re inside the infrastructure, the attacker can move laterally and start to find out where the crown jewels are hidden. From there, they can encrypt that data to execute a ransomware attack or exfiltrate it for sale on the dark web.”