Sophisticated Cyber Attack Targets Wedding Industry via Teams Malware

A sophisticated phishing campaign is currently targeting wedding planners and vendors. This operation deploys stealer malware, cleverly disguised as Microsoft Teams meetings. To build trust, security researchers report that attackers first compromise legitimate email accounts before delivering their malicious payloads.

Threat actors impersonate legal professionals in emails from czimmerman@craigzlaw[.]com, a domain tied to The Law Offices of Craig Zimmerman, a real consumer protection firm. Messages include realistic details like wedding dates, guest counts, and venues to mimic vendor coordination.

After email exchanges, victims receive a fraudulent Teams link: https://teams.microsoft.com/l/meet/47018czL7LJ5PZQ6Cy, prompting a video call for “optimal video quality.”

This tactic exploits high trust in collaboration tools amid wedding industry pressures. Microsoft Security noted on LinkedIn that such attacks appear highly convincing and evade casual scrutiny. Similar Teams abuses have surged, with hackers using chats for malware since 2022.

Clicking the link redirects to ussh[.]life/connect/teamsfinal/9/windows, a malicious site masquerading as a Teams download page. It urges downloading executables labeled for Windows, including a system reference prompt. Analysis reveals stealer malware behavior: executables likely harvest credentials, browser data, and session tokens post-infection.

The site employs social engineering, mimicking official Microsoft branding with prompts like “Need help? System reference.” Downloads evade basic AV via obfuscation, common in info-stealers like those in DarkGate campaigns via Teams. Once executed, stealers exfiltrate data to attacker C2, enabling account takeovers for further phishing.

Wedding-themed lures parallel Android stealers like Tria, which use invites to steal SMS and email, but this Windows variant targets planners on desktops.

Indicators of Compromise

• Email: czimmerman@craigzlaw[.]com (compromised legitimate domain)
• Phishing URL: https://teams.microsoft.com/l/meet/47018czL7LJ5PZQ6Cy
• Malware host: ussh[.]life/connect/teamsfinal/9/windows
• Fake code: fr6c (embedded in redirect)

Block these IOCs at firewalls; scan with EDR for anomalous Teams traffic.

Targets include U.S. wedding vendors, leveraging seasonal rushes. Compromised lawyer emails suggest initial breach via phishing or credential stuffing on M365 accounts. Victims risk data breaches exposing client PII, payments, and contracts.

Verify sender domains; hover over Teams links before clicking. Enable Microsoft 365 ATP for external access restrictions. Train staff on vishing via fake calls. Use passwordless auth and monitor for unusual downloads from collaboration tools. Wedding firms should segment vendor comms to email-only.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.