Threat Actors Weaponize Fake Microsoft Teams Domains to Target Users

North Korean state-sponsored threat actors, specifically the group known as UNC1069, are actively deploying counterfeit Microsoft Teams domains as part of sophisticated social engineering campaigns designed to distribute malicious software.

These attackers utilize highly convincing meeting invitations and exploit compromised communication platforms to target unsuspecting professionals and corporate personnel.

UNC1069 operates with financial objectives and maintains affiliation with the Democratic People’s Republic of Korea (DPRK).

On April 6, 2026, the Security Alliance identified a malicious domain, onlivemeet[.]com, used by the group to impersonate Microsoft Teams.

The attackers direct victims to fraudulent meeting pages hosted on this fake domain, where users are tricked into downloading malware, primarily a Remote Access Trojan (RAT).

Sophisticated social engineering techniques are central to the attackers’ approach, establishing trust before executing their malicious activities.

Security researchers have documented several specific tactics employed by UNC1069 to deliver malicious meeting links:

  • Manipulating old conversations from previously breached accounts on Telegram and LinkedIn to appear legitimate.
  • Sending fake partnership, investor, or job invitation requests within impersonated company group chats on Slack.
  • Pre-scheduling deceptive meetings using legitimate services like Calendly to enhance the credibility of the lure.

The Fake Meeting Lure

Upon clicking the meeting link, victims are redirected to a meticulously crafted but fraudulent Microsoft Teams web page. These malicious pages are designed to perfectly mirror the official Microsoft interface, lowering the user’s guard.

The page falsely states that the “TeamsFx SDK” has been deprecated and prompts the victim to click an update button. This action triggers the download of malicious payload disguised as a required technical software update.

Organizations should treat unexpected meeting requests, even those seemingly from known contacts, with extreme caution, especially when they demand immediate software updates.

Related Articles

Back to top button