Fake Microsoft Teams website to deliver malware
The threat actors have created many fake websites mimicking the legitimate Microsoft website https://www.microsoft.com/en-us/microsoft-teams/download-app to trick the users to download a known legitimate Microsoft Teams application.
We observed a couple of such domains registered:
teams-download[.]us
teams-install[.]top
teams-install[.]run
teams-install[.]icu
teams-download[.]buzz
teams-download[.]top
At the time of writing, the domains are not accessible. However, we were able to see how each website looked like before it was shutdown.
https://urlscan.io/search/#hash%3A32504ba1306184a6570582c08c1dbd61712d8e09a6a15d1c3e8e54e16de70f0f
Knowing that most of the Microsoft legitimate domains are registered under.
It is obviously visible that none of the domains belong to Microsoft. The domains are newly created one.
To prove our assumption, we compared legitimate Microsoft domain to the fake one:
Legitimate one:
https://whois.domaintools.com/microsoft.com
Registrant Organization: Microsoft Corporation
Registrant Street: One Microsoft Way,
Registrant City: Redmond
Registrant State/Province: WA
Registrant Postal Code: 98052
Registrant Country: US
Registrant Email:
Tech Name: MSN Hostmaster
Tech Phone: +1.4258828080
Tech Email:
Fake one:
The registrant is not Microsoft
https://whois.domaintools.com/teams-download.top.
To conclude, based on the findings, we may confirm that the domains are targeting Microsoft customers to download fake Microsoft Teams which could be used to compromise the system.
We recommend each company to verify those domains in their network to be stay safe.
