Microsoft Teams Meeting Invitation Delivers ScreenConnect Malware via Cloudflare Workers
Attack Overview
Step 1: Fake Microsoft Teams Meeting Invitation
The attacker sends phishing emails impersonating legitimate Microsoft Teams meeting invitations from colleagues or business contacts.
- Email subject line "TEAMS MEETING INVITE" with sender appearing as "Darren" to create familiarity and trust.
- Message states "DARREN INVITED YOU TO A TEAMS REMOTE MEETING" with instructions to view invitation within 30 days.
- Email includes Microsoft Teams branding and copyright notice for legitimacy.
Step 2: Cloudflare Workers Platform Hosts Malicious Application
The phishing link directs targets to a malicious application deployed on Cloudflare Workers' trusted cloud platform.
- Link points to wallacedoors-red-rsomy100.workers[.]dev, leveraging Cloudflare Workers' legitimate infrastructure.
- Landing page displays Teams interface with message "Sorry, You do not have the latest version of Teams App installed."
- Page offers "Continue on this browser" and "Join on the Teams app" options to appear legitimate while pushing malware installation.
Step 3: ScreenConnect RAT Delivery Through Fake Update
The attack leverages fake Teams app update prompts to deliver ScreenConnect remote access tool as malware payload.
- Page prompts users to download "MicrosoftTeams.ClientSetup.exe" under the guise of required Teams application update.
- Multi-stage attack chain uses familiar Microsoft Teams update process that users encounter regularly.
- ScreenConnect remote access tool deployed as payload for unauthorized system control and data access.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for several reasons, including:
- Phishing site hosted on Cloudflare Workers' legitimate cloud platform which is typically not blocked by security gateways and email filters.
- Attack mimics exact look and feel of legitimate Microsoft Teams meeting invitations and app update processes users encounter regularly.
- ScreenConnect is a legitimate remote access tool, making detection more challenging as it can appear as authorized business software.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including:
- Behavioral AI flagging never-before-seen senders, unusual email content, and URLs as anomalies that enable detection of novel attacks.
- Detection of off-pattern workflows and suspicious software prompts that don't align with normal business activity patterns.
- Natural language processing identifying impersonation attempts and urgent prompts despite legitimate-appearing interface.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.