Threat actors associated with North Korea are deploying fake Microsoft Teams domains to conduct social engineering attacks and distribute malware.
The threat group, identified as UNC1069, uses convincing meeting lures and compromised communication channels to target unsuspecting professionals.
UNC1069 is a financially motivated threat actor linked to the Democratic People’s Republic of Korea (DPRK).
On April 6, 2026, the Security Alliance identified a new malicious domain, onlivemeet[.]com, deployed by the group to impersonate Microsoft Teams.
The attackers use this fake domain to host deceptive meeting pages that trick users into downloading malicious software, often in the form of a Remote Access Trojan (RAT).
The attackers rely heavily on sophisticated social engineering to build trust before launching their exploits.
Security researchers have observed them using several specific methods to deliver their malicious links:
- Reviving old conversations from previously compromised Telegram and LinkedIn accounts to appear legitimate.
- Sending partnership, investor, or job invitation calls from fake or impersonated company group chats on Slack.
- Pre-scheduling these fake meetings through legitimate services like Calendly to add credibility to the lure.
The Fake Meeting Lure
Once a victim clicks the meeting link, they are directed to a highly convincing but fake Microsoft Teams web page. These fraudulent pages are carefully designed to perfectly mimic the legitimate Microsoft interface to lower the victim’s guard.
The deceptive page informs the user that the “TeamsFx SDK” has been deprecated and prompts the victim to click an update button. This action initiates the download of a malicious payload disguised as a necessary technical software fix.
To defend against these attacks, security teams and employees must remain vigilant about verifying communication channels.
Users should always inspect the actual destination URLs before clicking, as the text displayed in applications like Slack or Telegram may not match the true web address.
Organizations should also treat unexpected meeting requests, even those from known contacts, with caution, especially when they demand immediate software updates.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
