Hacker Bypasses Windows Defender Using Microsoft Teams – Here's What Happened
By Corporal Punishmenton 03/30/2025 |
Security researchers at IBM's X-Force team recently uncovered a clever way hackers can bypass Windows Defender Application Control (WDAC) a major line of defense built into Windows to stop unauthorized apps from running. What makes this hack so dangerous? It uses trusted, whitelisted applications, like Microsoft Teams, to sneak past Defender like it wasn't even there.How the Bypass Works
WDAC is meant to stop unknown or unsigned software from executing, which helps block malware from getting to your PC. You have all seen it when you download an application from a new author or a new Open Soucre piece of code. The cool thing here is that the attacker bypassed the security feature for his hady software by using Microsoft Teams—an Electron-based app that WDAC already trusts to deploy his attack.
Electron apps are mini web browsers running desktop software built with JavaScript and Node.js. This means Teams, Slack, and others can interact with the operating system in powerful ways. Maybe too powerful, as it turns out.
The attacker (0xBoku) exploited this by injecting malicious JavaScript into a Teams app. That code used Node.js features like child_process to run whatever the attacker wanted right under Defender's nose with zero complaints. Since Teams is already whitelisted, WDAC just shrugged and let it all run.
The result? As soon as a user launched the tampered Teams app, the attacker was in. They then deployed a Command & Control (C2) framework called Loki C2, giving them full remote control of the system without tripping the usual alarms.
Here's what it looks like:
Video demo of bypassing Windows Defender App Control with Loki C2! Blog with details coming in 1-2 weeks.
— Bobby Cooke (@0xBoku) March 12, 2025
Yes -- @d_tranman and I created an entire C2 in JavaScript and it bypasses all the things 🥷🧙♂️🪄 pic.twitter.com/dZrG9ecyKv
Did the Hacker Need User Interaction?
Yes, and this is important. This wasn't a magical exploit that infected people by itself. So, don't all your system admins start having a heart attack? A user still had to be tricked with a phishing attack to run on the modified app. But the real problem is that the system should have blocked it, and it didn't because it trusted Teams and therefore anything that Teams runs. A bit reminiscent of Excel macro viurii.
Security Bounty & Microsoft's Stance
Interestingly, the researcher(s) who discovered this weren't bad actors. They were participating in Microsoft's security bounty program, which rewards people for responsibly disclosing these kinds of flaws. According to Microsoft's own documentation, bypassing WDAC qualifies as a security boundary issue, and those get serious attention.
As of now, Microsoft has not yet released a patch for this specific bypass. They may choose to block the exploit method via the WDAC recommended block list instead of a full patch. We'll update this story if and when that changes.
How You Can Stay Safe
While this is more of a targeted, advanced technique than your average malware, it's a good reminder to stay sharp. Here are a few things you can do:
AppLocker?
Whats AppLocker? AppLocker is an under-the-radar built-in Windows feature that lets system administrators (or savvy users) control which applications are allowed to run on a computer. One of the reasons it is under the radar is if you misconfigure things, you can end up locking everyone, including yourself, out of critical apps. If you're not comfortable with admin tools, policies, and recovery options, it's easy to go sideways. So, if you are a casual user -- skip down -- don't read this.
The attack works by taking advantage of a trusted Electron-based app that Windows Defender Application Control already whitelists. Once launched, malicious JavaScript or Node.js code inside the app can spawn unauthorized child processes, effectively giving an attacker control. You can use AppLocker to block script execution entirely covering file types like .js, .vbs, and .ps1—unless they come from trusted sources or are digitally signed. You can also block child processes from launching out of apps like Teams or Slack unless explicitly permitted.
To get started with AppLocker, press Win + R, type secpol.msc, and hit Enter to open the Local Security Policy editor. Navigate to Application Control Policies > AppLocker to begin creating your rules. First, under Script Rules, create a Deny rule for all common script types like .js, .vbs, and .ps1, unless they are signed or located in trusted directories. It's best to target standard users so administrators still have the flexibility to run trusted scripts when needed.
Next, create a Deny Executable Rule to block applications like Node.js or other executables capable of using child_process, which is often exploited in Electron-based app attacks. You can fine-tune this rule by using the Publisher or Path options to allow only verified or essential software to run.
Security Tools Worth Checking Out
Since we're MajorGeeks, we won't leave you hanging without some tools to beef up your security:
TL;DR
A security researcher found a way to bypass Windows Defender Application Control (WDAC) by abusing Microsoft Teams, a trusted and whitelisted app. Since Teams is built with Electron and Node.js, it can run scripts and spawn processes. The hacker injected malicious code into the app, and once the user launched it—boom, full remote access via Loki C2.
Lesson: Trusting signed Electron apps isn't enough. Lockdown scripts, control child processes and consider using AppLocker or similar tools for better protection.
Even the best security systems can be tricked if a trusted app gets turned against you. Watch out for Phishing at all times, and keep yourself, your software, and your users up to date with the latest patches and news. Stay alert, stay updated, and check back with MajorGeeks for more security news that doesn't suck.
comments powered by Disqus
