In a sophisticated campaign, threat actors are impersonating IT support staff in Microsoft Teams chats to trick employees into granting remote access, marking a dangerous evolution from traditional email-based phishing attacks.
Social engineering remains a highly effective tactic for hackers, and as businesses have integrated platforms like Microsoft Teams into their core operations, attackers have followed. The inherent trust employees place in internal messaging makes it a fertile ground for deception.
Recent campaigns analyzed by Permiso cybersecurity researchers reveal a multi-stage attack that begins with a simple message and culminates in the deployment of potent, multifunctional malware.
The attack chain often starts with a direct message or call from a newly created or compromised Microsoft Teams account. These accounts are designed to look legitimate, using display names like “IT SUPPORT
Attackers often use checkmark emojis to simulate a verified status and leverage Microsoft’s onmicrosoft.com domain structure to appear as if they are part of the organization.
Posing as IT staff addressing a routine issue like system maintenance, the attackers build rapport with their target.
Once trust is established, they persuade the employee to install remote access software, such as QuickAssist or AnyDesk, under the guise of providing technical assistance. This critical step gives the attacker a direct foothold into the user’s machine and the corporate network.
While similar techniques involving remote access tools have been linked to ransomware groups like BlackBasta since mid-2024, these newer campaigns are more direct, often forgoing the preliminary mass email campaigns seen in the past.
The malicious payloads have also diversified, with recent incidents involving the DarkGate and Matanbuchus malware loaders.
Once remote access is secured, the attacker executes a PowerShell command to download the primary malicious payload. This script is far from simple, equipped with capabilities for credential theft, establishing long-term persistence, and remote code execution, Permiso said.
To evade detection and complicate removal, the malware can designate its own process as “critical,” which would cause the system to crash if terminated.
It also uses a legitimate-looking Windows credential prompt to trick users into entering their passwords, which are then exfiltrated to an attacker-controlled server.
Analysis of the payload’s code revealed hardcoded encryption keys that link the campaign to a known financially motivated threat actor tracked as Water Gamayun (also known as EncryptHub).
This group has a history of combining sophisticated social engineering with custom malware to target English-speaking IT professionals and developers.
Employees must be trained to remain vigilant against unsolicited contact, even on trusted internal platforms. All requests for credentials or the installation of remote access software should be independently verified through a known, separate communication channel.
OHere is a table of the Indicators of Compromise (IoCs) based on the provided information.
| Indicator | Type |
|---|---|
https://audiorealteak[.]com/payload/build.ps1 | URL |
https://cjhsbam[.]com/payload/runner.ps1 | URL |
104.21.40[.]219 | IPv4 |
193.5.65[.]199 | IPv4 |
Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/7.0.500.0 Safari/534.6 | User Agent (UA) |
&9*zS7LY%ZN1thfI | Initialization Vector |
123456789012345678901234r0hollah | Encryption Key |
62088a7b-ae9f-2333-77a-6e9c921cb48e | Mutex |
Help Desk Specialist ✅ | User Display Name |
IT SUPPORT✅ | User Display Name |
Marco DaSilva IT Support ✅ | User Display Name |
IT SUPPORT ✅ | User Display Name |
Help Desk | User Display Name |
@cybersecurityadm.onmicrosoft[.]com | User Principal Name |
@updateteamis.onmicrosoft | User Principal Name |
@supportbotit.onmicrosoft | User Principal Name |
@replysupport.onmicrosoft | User Principal Name |
@administratoritdep.onmicrosoft | User Principal Name |
@luxadmln.onmicrosoft | User Principal Name |
@firewalloverview.onmicrosoft | User Principal Name |
As threat actors continue to innovate, a defense-in-depth strategy, combining technical controls with robust user education, is essential to protect against attacks that turn collaboration tools into conduits for compromise.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The post Hackers Abuse Microsoft Teams to Gain Remote Access With PowerShell-based Malware appeared first on Cyber Security News.
Apple recently released its newest budget smartphone - the Apple iPhone 17e - on March…
Blight: Survival has reemerged with a new gameplay trailer — and its developers are promising…
Bluetti is well known for its high quality yet affordable power stations and solar generators.…
There’s something endlessly endearing about a good-natured dummy. Just a happy, optimistic doofus that can…
(KTAB/KRBC) - The Sweetwater Rattlesnake Roundup Parade for 2026 is taking place at 4:30 p.m.,…
Editor’s Note: A Grand Jury indicted the following suspects on felony charges in Taylor County,…
This website uses cookies.