Microsoft has been doing a lot this year to make Microsoft Teams stand out from the workplace collaboration/communication crowd. Despite several security improvements, the popular service is still a target for attacks. That makes sense considering how popular Teams is and that it integrates with Office 365 and wider systems.

Microsoft researchers say threat actors are leveraging fake ads for Microsoft Teams to deploy backdoor attacks on victim machines. It seems the attacks are based on the Cobalt Strike to enter networks and install malware.

It is worth noting there is no direct issue within Microsoft Teams. Rather, attackers are using Teams to create legitimacy for their attack. Microsoft says customers should be aware of “FakeUpdates” campaigns.

Bleeping Computer found a security advisory by the company that warns customers. This advisory has not been made public by Microsoft. Instead, it is being sent privately to Teams customers.

FakeUpdates attacks work in a similar way to other phishing campaigns. Attackers target users by sending them something that looks legitimate, in this case a call to update Microsoft Teams. Unwitting victims will engage with the message and malware is installed on their system.


The report suggests threat actors are targeting K12 education organizations. Since the COVID-19 pandemic, these organizations have become heavily reliant on services like Microsoft Teams.

As noted, the attacks use the Cobalt Strike, which is a commodity attack-simulation that spreads malware. It is best known for ransomware attacks and has also been used to exploit the Zerologon vulnerability we have been tracking in recent months.

Organizations also can limit their attack surface to keep attackers at bay by blocking executable files that do not meet specific criteria or blocking JavaScript and VBScript code from downloading executable content, Microsoft advised.