Hackers linked to the Payouts King ransomware gang are weaponizing Microsoft Teams to breach corporate networks and sell the access to other cybercriminals. By posing as internal IT staff, these attackers trick employees into installing a malicious Microsoft Edge extension that completely bypasses standard browser security sandboxes. The campaign highlights a growing trend of initial access brokers exploiting trusted internal communication channels to establish a foothold before a full-scale ransomware deployment.
The attack begins with a direct Microsoft Teams message from an account impersonating the organization’s IT department. The message urgently instructs the user to install a mandatory "spam filter update." Victims who click the provided link are redirected to a highly convincing, fake Microsoft website. This portal uses a series of deceptive buttons to force the installation of the malware, ultimately prompting the user to hand over their Microsoft 365 and Outlook passwords.
According to security researchers at Zscaler, the threat actor utilizes an "innovative malware delivery mechanism" dubbed Edgecution. The malicious Microsoft Edge extension exploits the Chrome native messaging protocol to interact directly with host-native applications. By abusing this interface, the attackers successfully escape the confines of the browser sandbox. This grants them direct host access, enabling them to manipulate the local filesystem, launch background processes, and execute arbitrary code on the compromised machine.
How to Defend Against Edgecution Malware
- Monitor extension installations: Implement robust tracking and restriction policies for all browser extensions across the corporate network.
- Lock down native messaging: Enforce strict controls over native messaging host configurations to prevent unauthorized extensions from interacting with local system files.
- Update security training: Educate employees to recognize social engineering tactics, specifically spam bombing and vishing, and to verify any IT administrative updates through a secondary channel.
The Danger of Trusted Internal Channels
The most alarming aspect of the Payouts King campaign is not just the sandbox escape, but the exploitation of Microsoft Teams. For years, corporate security training has heavily focused on email-based phishing, conditioning employees to scrutinize external senders. However, internal chat platforms carry an implicit level of trust; a message appearing to come from the IT helpdesk via Teams rarely triggers the same suspicion.
This attack vector proves that initial access brokers are adapting to hardened email perimeters by moving laterally into collaborative workspaces. Organizations must extend their zero-trust architecture to internal communications, treating a Teams prompt with the same skepticism as an unsolicited external email. If IT departments do not establish clear, verifiable protocols for software updates, ransomware gangs will continue to exploit this blind spot.