top of page

Microsoft Teams , A perfect target for the UserCentric.exe Attack?

Microsoft Teams does not have a malicious link detection system , it has only what Microsoft 365 uses , and it is a common virus detection engine for scanning files that users upload to SharePoint Online, OneDrive, and Microsoft Teams. This protection is included with all subscriptions that include SharePoint Online, OneDrive, and Microsoft Teams.

The Microsoft 365 virus detection engine runs asynchronously (independent from file uploads) within SharePoint Online. All files are not automatically scanned. Heuristics determine the files to scan. When a file is found to contain a virus, the file is flagged.

users tend to trust everything that is shared on their professional email , as of everything is secure within our company .. Very few users will care to save the obtained files on their hard drives and launch antivirus or threat detection products on it before opening them.

To achieve accessing the Teams platform, the only thing the attacker needs is valid credentials from one of the employees of the targeted entity. This might be done by obtaining the e-mail credentials of any user, which is often done by running phishing campaigns as Avanan mentioned on this link : Hackers Attach Malicious .exe Files to Teams Conversations (

Once an attacker has obtained a valid e-mail credential, he or she is able to log into the Teams platform of the company.

This is where Avanan has seen thousands attacks per month. The attacker operates by dropping executable (.exe) files named “UserCentric.exe” into different Teams conversations, the executable being a malicious file, generally a trojan. The file writes data to the Windows registry, installs DLL files and creates shortcut links that allow the program to self-administer and take control over the computers.

Avanan did not mention the ultimate goal for infecting users with this malware, but we can suspect it’s to allow attackers to get more data from the internal network of their target or get full access to computers within the network. This knowledge might in turn be used for financial fraud or cyberespionage.

How to protect yourself from a Teams attack

what should be done by IT regarding the specific Teams threat reported in this article:

  • Enable two-factor authentication on the Microsoft accounts used for Teams so that users need to use a validation on their phones.

  • Implement additional security for every file that is dropped on the SharePoint folders related to Teams. Files should all be checked against a threat detection solution. Their cryptographic hashes could also be submitted to VirusTotal in order to check if the file might already be known and classified as malicious or not.

  • Implement additional security for every link that is copied on Teams. If possible, use several link reputation services to check if the link is safe or not.

  • Raise awareness among employees. In the same way awareness is raised for phishing attacks and all email threats, employees should be told about the risks of communication and sharing platforms.

For safe attachments for SharePoint , OneDrive and Microsoft Teams :Safe Attachments for SharePoint, OneDrive, and Microsoft Teams - Office 365 | Microsoft Docs

Disclosure : Thanks to and

20 views0 comments


bottom of page