Hackers Exploit Microsoft Teams Calls

Overview

A new cyber‑espionage campaign is turning Microsoft Teams into a weapon. Threat actors are now using fake IT support calls to trick employees into installing remote monitoring and management (RMM) tools that deliver a stealthy remote access trojan (RAT) known as EtherRAT.

This attack blends social engineering with legitimate software, making it look like a routine helpdesk session while silently handing over full control of the victim’s device.

How the Attack Unfolds

The operation begins with a phishing email disguised as an Employee Survey and a malicious PDF attachment. Once opened, the victim receives a Teams voice call from someone posing as a System Administrator.

Key steps:

  • External Tenant Impersonation — the attacker’s account uses a domain mimicking a corporate helpdesk.
  • Screen Sharing Abuse — victims are persuaded to enable screen sharing, granting remote control.
  • RMM Tool Installation — attackers guide users to install legitimate remote‑access software.
  • Malicious MSI Loader — downloads a Node.js runtime and decrypts hidden payloads, launching EtherRAT.

Because EtherRAT leverages authentic software components, many endpoint security tools fail to detect it.

Inside EtherRAT

EtherRAT is a cross‑platform RAT built entirely in Node.js, capable of:

  • Executing commands and moving files.
  • Exfiltrating sensitive data.
  • Maintaining long‑term persistence.

Its standout feature is using Ethereum smart contracts to retrieve its command‑and‑control (C2) server address — a tactic that makes takedown efforts far more complex.

Researchers found nine versions of the installer on the attacker’s server, confirming active development and wider criminal adoption beyond its original state‑sponsored roots.

Why Fake Helpdesk Calls Still Work

This campaign follows a growing trend of Teams‑based impersonation attacks. Earlier operations used spam floods and fake IT chats to push other malware families.

Microsoft has since introduced:

  • External Tenant Warnings — clearer alerts for unfamiliar accounts.
  • Meeting Lobby Controls — suspected bots are held for manual approval.

Still, attackers exploit human trust in collaboration tools — a reminder that security awareness training is as vital as technical controls.

Defensive Recommendations

To counter this evolving threat:

  • Restrict External Teams Access — limit interactions to verified tenants.
  • Verify IT Requests — confirm helpdesk calls via known internal contacts.
  • Monitor RMM Installations — flag unexpected remote access software.
  • Educate Employees — train staff to spot external tenant warnings and phishing lures.

Expert in the Cloud Insight

The EtherRAT campaign underscores how trust in enterprise tools can be weaponized. Collaboration platforms like Teams are now prime targets for social engineering because they blur the line between internal and external communication.

For security leaders, the lesson is clear: human verification is the new firewall. No technical control can replace a culture of skepticism toward unsolicited support requests.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.