Beware of new MS Teams fake update ransomware

A new campaign by Advanced Persistent Threat (APT) actors has surfaced and Microsoft is warning Microsoft Teams users, especially those like us in the cyber defense community of this new threat. It’s particularly nefarious as it targets public schools and teleworking companies and seeks to take advantage of stressed, fatigued and tired remote workers who are particularly susceptible to falling for these types of attacks, particularly during the holiday season. It’s certainly a sign of things to come as Covid-19 has made this a target rich environment for cyber criminals.

So what should you look out for?

APT actors are disseminating pop-ups on websites and infected advertising networks asking users to install a fake update to Microsoft Teams. Running the update will silently install a back door to that computer from which the criminals can monitor employee activity, copy private and company files and even hold the system and any other computers or servers it has access to hostage with ransomware.

Source: Microsoft


Ransomware is a big problem and a very lucrative business for cybercriminals. For example, the Trickbot ransomware gang has made an estimated $150 million in untraceable bitcoin in just the past 2 years and they are just one of many, highly skilled and organized groups that target US companies and infrastructure.

The Takeaway

There are relatively simple defensive measures that IT departments can deploy to minimize the chance that this particular threat will impact the organization:

  1. Microsoft recommends using a web filter to block malicious websites (scam, phishing, malware and exploit hosts)

  2. Use strong, random passwords for local administrators

  3. Limit admin privileges to essential users and avoiding domain-wide service accounts that have the same permissions as an administrator

  4. Ensure that system security monitoring and patching is in place and verified on a regular basis (we do this with Total Security)

If you’re interested in the technical details, there’s a detailed article from BleepingComputer.com detailing how this threat operates in the background of an infected system.

Unfortunately, the Internet is broken. Join us in the fight to protect businesses like yours against theft, crime and disaster.

Stay safe out there.

-A