Due to COVID-19 restrictions, there has been a considerable increase in the usage of online video conferencing tools. In recent FakeUpdates campaigns, hackers were seen using malicious fake ads by poisoning search engine results for fake Microsoft Teams updates.

About FakeUpdates campaigns

According to Bleeping Computer, hackers were observed operating FakeUpdates campaigns using Microsoft Teams updates as a lure to target educational organizations. They were using several variations of the same theme with different threat vectors.
  • The hackers used Predator the Thief infostealer as an initial payload, along with Bladabindi (NJRat) backdoor and ZLoader stealer. In addition, they used Cobalt Strike to compromise the rest of the network.
  • In some instances, hackers used the IP Logger URL shortening service, signed binaries, and various second-stage payloads.
  • To increase the credibility, along with payloads distribution, clicking on the link installed a legitimate copy of Microsoft Teams on the system. A paid search engine ad, moreover, aggravated the payload distribution by pointing to a domain under hackers’ control for Teams software.

Recent attacks on Microsoft Teams 

  • In the last month, hackers had impersonated an automated message from Microsoft Teams to steal the recipient’s login credentials.
  • In multiple connected phishing campaigns, attackers were seen spoofing well-known applications in an attempt to evade detection.

The lucrative education sector


In the FakeUpdates campaigns, the use of a combination of legitimate applications, infostealer trojans backdoors, and Cobalt Strike has added fuel to the fire. By using such dangerous combinations, hackers could potentially infect hundreds of thousands of computers. Microsoft has alerted users to stay alert of poisonous search engine results and malicious online advertisements.

Cyware Publisher