🟠High  | Source: The Register — Security
Attackers have developed custom malware that routes command-and-control traffic through Microsoft Teams, disguising malicious communications as legitimate corporate collaboration activity. By abusing trusted Microsoft services, the malware makes it significantly harder for security tools and analysts to distinguish attacker traffic from normal business use. This technique lowers the risk of detection and complicates incident response, particularly in organisations that heavily rely on Teams.
Security Architect’s Take: Review your Microsoft Teams data loss prevention and conditional access policies, and ensure you have visibility into anomalous Teams API calls or unexpected external tenant communications via Microsoft Purview or a CASB. Consider restricting Teams external access to approved domains only, and correlate Teams activity with endpoint telemetry to surface unusual process-to-network-service relationships.
Original advisory: Crooks found a new way to collaborate using Teams – by hiding command-and-control traffic