Ransomware gang runs ads for Microsoft Teams to pwn victims

Friday 31st October 2025 18:59 GMT Yet Another Anonymous coward

Could be worse

Imagine searching for Microsoft Teams, seeing a text link at the top of the results, visiting it, and then getting Microsoft Teams installed

24 0 Reply
1. Friday 31st October 2025 19:54 GMT Dr Paul Taylor
  
  Indeed, you would be installing code that can remotely wipe your device, at least according to this El Reg story and this M$ documentation.
  
  5 0 Reply
  1. Saturday 1st November 2025 22:43 GMT captain veg
    
    Neither of your linked articles mentions Teams specifically.
    
    Intune, however, can can do exactly that. And the mobile versions of Teams, Outlook, etc, can be configured to require the presence of Intune.
    
    Since I run neither Android nor whatever Apple is calling its mobile operating system today on my phone I have found that browsers which don't blab about the fact that you're using a mobile device can be useful. To wit: Sapot. Those stuck on Android, but with access to FDroid should download jQuarks, and make sure that the Desktop Site option is permanently on.
    
    -A.
    
    0 0 Reply
    1. Sunday 2nd November 2025 18:35 GMT Yet Another Anonymous coward
      
      Any unreasonably secure operation blocks visiting Teams/Outlook even in desktop mode n a machine without Intune and Device Management running
      
      0 0 Reply
2. Friday 31st October 2025 22:05 GMT Dan 55
  
  Re: Could be worse
  
  If I had to choose between the two, the malware would let me get more work done.
  
  11 0 Reply
Friday 31st October 2025 19:44 GMT veti

Bing?

Remind me, who owns Bing again?

Therefore, who sold this ad slot?

I often find myself defending MS, but this... this is something else. A whole other level of Not Even Trying Any More.

13 0 Reply
Saturday 1st November 2025 06:23 GMT Anonymous Coward

Fake adverts in search

Adverts are not your friend kids.

Don’t click.

8 0 Reply
Saturday 1st November 2025 13:00 GMT Pascal Monett

Imagine that ? No, I don't.

I never click on any link without checking its origine.

You try to sell me an ad on MS Teams ? Then your link had damn well better point to Microsoft's download page.

I wasn't born yesterday.

0 0 Reply
1. Saturday 1st November 2025 15:42 GMT Alumoi
  
  Re: Imagine that ? No, I don't.
  
  I take it you've never seen how people actually use their phones/lcomputers: type something in google search, click through the ads then click on the first link it displays.
  
  3 0 Reply
2. Saturday 1st November 2025 20:11 GMT Richard 12
  
  Re: Imagine that ? No, I don't.
  
  On phone and tablet it's pretty difficult to see where a link goes.
  
  Hover doesn't exist with those touchscreens.
  
  3 0 Reply
  1. Sunday 2nd November 2025 23:56 GMT veti
    
    Re: Imagine that ? No, I don't.
    
    Even on desktop, there are ways to disguise it. Tyop squatting. Non-Latin charsets. A determined attacker can make it pretty hard to tell the difference between microsoft.com and micrοsoft.com.
    
    1 0 Reply
Sunday 2nd November 2025 02:58 GMT Sleep deprived

Who'd want Teams?

No need to install it, just run the link in Edge when the one calling the meeting can't be bothered using Zoom. It's my sole use for Edge, which I'm not sure can be safely removed anyways.

2 0 Reply
Monday 3rd November 2025 14:01 GMT bigphil9009

"It's worth noting that earlier this month, Microsoft said it revoked more than 200 certificates that Vanilla Tempest used in fake Teams setup files to ultimately deliver Rhysida ransomware. " So these, err trusted certificates can't actually be trusted then? The whole supply chain has become so complex that bad actors can purchase genuine certificates. What's the point of them any more?

1 0 Reply